188251 – huge time creating a thousand of rules

Bug 188251 - huge time creating a thousand of rules

Summary: huge time creating a thousand of rules

Status:	NEW

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	Netfilter/Iptables (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	networking_netfilter-iptables@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-21 14:09 UTC by Sergey
Modified:	2016-11-21 14:30 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	4.4
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
random ip list for test (44.73 KB, application/gzip) 2016-11-21 14:30 UTC, Sergey	Details
Add an attachment (proposed patch, testcase, etc.)

Description Sergey 2016-11-21 14:09:36 UTC

A large number of rules are generated too long. For example about 18000.

For kernel 4.1 time about 9 minutes
For kernel 4.4 time about 3 hours

I understand that ipset more appropriate here but the slowdown for iptables seems too big.

Comment 1 Sergey 2016-11-21 14:30:01 UTC

Created attachment 245271 [details]
random ip list for test

simply script for test

========
iptables -t nat -N TEST_CHAIN
iptables -t nat -F TEST_CHAIN

IP_LIST=/tmp/iplist.txt

for IP in `cat $IP_LIST`; do
        echo iptables -t nat -A TEST_CHAIN -d $IP -j DNAT --to 127.0.0.2
        iptables -t nat -A TEST_CHAIN -d $IP -j DNAT --to 127.0.0.2
done
========

Note You need to log in before you can comment on or make changes to this bug.