|
|
Log in / Subscribe / Register

BPF comes to firewalls

BPF comes to firewalls

Posted Apr 19, 2018 2:26 UTC (Thu) by manhnt (guest, #123784)
In reply to: BPF comes to firewalls by eahay
Parent article: BPF comes to firewalls

Well, as kleptog mentioned, there are cases where iptables update can get lost some rules. I've met such cases. Does anyone know how to solve that properly? What I did was simply retrying until success, which may not be an optimum solution.

to post comments

BPF comes to firewalls

Posted Aug 13, 2018 4:07 UTC (Mon) by fest3er (guest, #60379) [Link]

How many rules are you talking about? In some testing 4-6 years ago, I found that iptables could not handle more than about 20 000 rules at a time. Any more and some rules would be 'lost'. IPtables was happy to add 1 000 000 rules as long as I added them around 15 000 at a time (meaning a COMMIT every 15 000 or so). Adding so many rules wasn't real speedy, but it also wasn't outrageously slow.

BPF comes to firewalls

Posted Aug 13, 2018 16:37 UTC (Mon) by antiphase (subscriber, #111993) [Link]

Use ipset to create address lists instead of using individual per-address rules. It doesn't change the reload behaviour, but it will potentially hugely reduce the number of rules if you're matching in similar ways just with different addresses, and is also faster shifting packets as a bonus.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds