Long iptables rules efficiency & performance

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












When building a long iptables rules, which one is more efficient, to use one long script per line or to use the tables? What about the performance, does it have effect to packets loss and untracked packets?



Example:




  1. one script per line



    iptables -A INPUT -i wlan0 -p tcp --sport 80 -j ACCEPT



  2. using the tables



    iptables -N table1
    iptables -A INPUT -i wlan0 -j tbl1
    iptables -A table1 -p tcp --sport 80 -j ACCEPT






iptables







share|improve this question























  • To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
    – Panther
    Mar 28 at 14:38














up vote
0
down vote

favorite












When building a long iptables rules, which one is more efficient, to use one long script per line or to use the tables? What about the performance, does it have effect to packets loss and untracked packets?



Example:




  1. one script per line



    iptables -A INPUT -i wlan0 -p tcp --sport 80 -j ACCEPT



  2. using the tables



    iptables -N table1
    iptables -A INPUT -i wlan0 -j tbl1
    iptables -A table1 -p tcp --sport 80 -j ACCEPT






iptables







share|improve this question























  • To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
    – Panther
    Mar 28 at 14:38












up vote
0
down vote

favorite









up vote
0
down vote

favorite











When building a long iptables rules, which one is more efficient, to use one long script per line or to use the tables? What about the performance, does it have effect to packets loss and untracked packets?



Example:




  1. one script per line



    iptables -A INPUT -i wlan0 -p tcp --sport 80 -j ACCEPT



  2. using the tables



    iptables -N table1
    iptables -A INPUT -i wlan0 -j tbl1
    iptables -A table1 -p tcp --sport 80 -j ACCEPT






iptables







share|improve this question















When building a long iptables rules, which one is more efficient, to use one long script per line or to use the tables? What about the performance, does it have effect to packets loss and untracked packets?



Example:




  1. one script per line



    iptables -A INPUT -i wlan0 -p tcp --sport 80 -j ACCEPT



  2. using the tables



    iptables -N table1
    iptables -A INPUT -i wlan0 -j tbl1
    iptables -A table1 -p tcp --sport 80 -j ACCEPT






iptables




iptables






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 29 at 2:58









muru

130k19273463




130k19273463










asked Mar 28 at 8:52









smnlss689

113




113











  • To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
    – Panther
    Mar 28 at 14:38
















  • To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
    – Panther
    Mar 28 at 14:38















To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
– Panther
Mar 28 at 14:38




To performance test see people.netfilter.org/kadlec/nftest.pdf and strongarm.io/blog/linux-firewall-performance-testing
– Panther
Mar 28 at 14:38










1 Answer
1






active

oldest

votes

















up vote
0
down vote













In your second example, you define a new chain called table1, and route incoming packets to the new chain in order to perform matching on the chain.



This can be a good strategy if, for example, the processing you do on that chain is somewhat heavy and you don't want to subject all incoming packets to it.



But in your example,



  • ALL incoming traffic on the wlan0 interface is sent to the new chain (this even includes packets that are part of established connections!)

  • The processing on that chain is trivial - just matching by source and destination port.

So in this simple example the extra complexity of defining a new chain and routing everything to it is unnecessary and redundant, and were you able to measure a performance difference, would probably result in the lower performance.



Performance really won't affect you unless you have a lot more rules or much heavier processing.






share|improve this answer




















  • It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
    – smnlss689
    Apr 10 at 2:54











  • If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
    – thomasrutter
    Apr 10 at 3:37










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1019893%2flong-iptables-rules-efficiency-performance%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













In your second example, you define a new chain called table1, and route incoming packets to the new chain in order to perform matching on the chain.



This can be a good strategy if, for example, the processing you do on that chain is somewhat heavy and you don't want to subject all incoming packets to it.



But in your example,



  • ALL incoming traffic on the wlan0 interface is sent to the new chain (this even includes packets that are part of established connections!)

  • The processing on that chain is trivial - just matching by source and destination port.

So in this simple example the extra complexity of defining a new chain and routing everything to it is unnecessary and redundant, and were you able to measure a performance difference, would probably result in the lower performance.



Performance really won't affect you unless you have a lot more rules or much heavier processing.






share|improve this answer




















  • It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
    – smnlss689
    Apr 10 at 2:54











  • If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
    – thomasrutter
    Apr 10 at 3:37














up vote
0
down vote













In your second example, you define a new chain called table1, and route incoming packets to the new chain in order to perform matching on the chain.



This can be a good strategy if, for example, the processing you do on that chain is somewhat heavy and you don't want to subject all incoming packets to it.



But in your example,



  • ALL incoming traffic on the wlan0 interface is sent to the new chain (this even includes packets that are part of established connections!)

  • The processing on that chain is trivial - just matching by source and destination port.

So in this simple example the extra complexity of defining a new chain and routing everything to it is unnecessary and redundant, and were you able to measure a performance difference, would probably result in the lower performance.



Performance really won't affect you unless you have a lot more rules or much heavier processing.






share|improve this answer




















  • It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
    – smnlss689
    Apr 10 at 2:54











  • If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
    – thomasrutter
    Apr 10 at 3:37












up vote
0
down vote










up vote
0
down vote









In your second example, you define a new chain called table1, and route incoming packets to the new chain in order to perform matching on the chain.



This can be a good strategy if, for example, the processing you do on that chain is somewhat heavy and you don't want to subject all incoming packets to it.



But in your example,



  • ALL incoming traffic on the wlan0 interface is sent to the new chain (this even includes packets that are part of established connections!)

  • The processing on that chain is trivial - just matching by source and destination port.

So in this simple example the extra complexity of defining a new chain and routing everything to it is unnecessary and redundant, and were you able to measure a performance difference, would probably result in the lower performance.



Performance really won't affect you unless you have a lot more rules or much heavier processing.






share|improve this answer












In your second example, you define a new chain called table1, and route incoming packets to the new chain in order to perform matching on the chain.



This can be a good strategy if, for example, the processing you do on that chain is somewhat heavy and you don't want to subject all incoming packets to it.



But in your example,



  • ALL incoming traffic on the wlan0 interface is sent to the new chain (this even includes packets that are part of established connections!)

  • The processing on that chain is trivial - just matching by source and destination port.

So in this simple example the extra complexity of defining a new chain and routing everything to it is unnecessary and redundant, and were you able to measure a performance difference, would probably result in the lower performance.



Performance really won't affect you unless you have a lot more rules or much heavier processing.







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 29 at 0:07









thomasrutter

25.4k46086




25.4k46086











  • It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
    – smnlss689
    Apr 10 at 2:54











  • If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
    – thomasrutter
    Apr 10 at 3:37
















  • It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
    – smnlss689
    Apr 10 at 2:54











  • If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
    – thomasrutter
    Apr 10 at 3:37















It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
– smnlss689
Apr 10 at 2:54





It is true, from my experience (just tested it) more chains will make it more heavier. I'm using a metered data connection, It consumes more bandwith when I use more chains, and using more REJECT. It also consumes more bandwith if I use DROP insted of REJECT. But I think more chains is more secure than simply write many rules at one with less chains. I'm just wondered how windows do it, it consumes less bandwith downloading using IDM software (tested it years ago) from the internet than any linux.
– smnlss689
Apr 10 at 2:54













If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
– thomasrutter
Apr 10 at 3:37




If efficiency is a priority at all, you should accept any related or established packets as early as possible. You may already be doing this in rules that weren't part of your example, but I mention it just in case.
– thomasrutter
Apr 10 at 3:37

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1019893%2flong-iptables-rules-efficiency-performance%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

pylint3 and pip3 broken

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
Read more

Missing snmpget and snmpwalk

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more