[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iptables performance

I'm presently using iptables to block any traffic going to hosts that do
that stupid pop-under ad thing (the ad-serving hosts, not the pages that
use the ads).  As I add more hosts, I'm a little concerned about the
performance impact of rejecting traffic to a list of hosts.  Since this
is only web traffic, I'm considering adding a "badweb" chain and having
a rule that jumps to that chain only if the dport is 80, thus freeing
other services from the performance impact.  However, this will reduce
the effectiveness of the block if some of the ad servers start listening
on non-standard ports.

Anyway, does anyone know what kind of performance impact I'll see with
more than a few destination hosts being checked?  Does the code have to
compare the destination with each host in the list, or does it do something
more intellignet like keeping a hash of the attributes listed and then
only applying the rules that are relevent to the current packet?  The ads
are annoying, but having a connect that's even slower than it is now (did
you know that the only reliable dedicated access I can get in Lincoln is
frame relay, and that even a 56K frame relay is way expensive?) would be
more annoying.

I've used squid with a rewrite script to block ads before (the one at
taz.net.au), but would rather not have to set up a transparent proxy at
this time.

Thanks for any hints or insights that don't involve me reading the code or
"hacking iptables HOWTO" myself... :)
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.