lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LSU.2.00.0904121837400.27633@fbirervta.pbzchgretzou.qr>
Date:	Sun, 12 Apr 2009 18:38:44 +0200 (CEST)
From:	Jan Engelhardt <jengelh@...ozas.de>
To:	David Miller <davem@...emloft.net>
cc:	paulmck@...ux.vnet.ibm.com, torvalds@...ux-foundation.org,
	mingo@...e.hu, laijs@...fujitsu.com, shemminger@...tta.com,
	jeff.chua.linux@...il.com, dada1@...mosbay.com, kaber@...sh.net,
	r000n@...0n.net, linux-kernel@...r.kernel.org,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: iptables very slow after commit
 784544739a25c30637397ace5489eeb6e15d7d49


On Saturday 2009-04-11 08:00, David Miller wrote:
>From: Jan Engelhardt
>Date: Sat, 11 Apr 2009 07:14:50 +0200 (CEST)
>
>> The fact that `iptables -A` is called a hundred times means you are 
>> doing 100 table replacements -- instead of one. And calling
>> synchronize_net at least a 100 times.
>> 
>> "Wanna use iptables-restore?"
>
>I want to derail this line of thinking as fast as possible.
>
>This is not an acceptable response to this problem.  We made something
>fundamentally slower by several orders of magnitude.
>
>Therefore, saying "Don't insert your firewall rules like that." is not
>a valid response for this regression.
>
>We really have to fix it or revert.
>
Well, there is an extra tool in SUSE's iptables, which collects
rules added this way, and then commits them in one go when you
are done. Perhaps that is an "adequeate" way?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ