Kazaa! iptables table sizes and performance

From: Chris Lowth (dont_at_want.spam)
Date: 05/09/03


Date: Fri, 09 May 2003 15:56:15 +0100

I am working on a iptables module for kazaa blocking, based on an 'adaptive'
approach - whereby I create REJECT rules for IP/port number pairs as the
module identifies them as being Kazaa servers.

It works fine, but I am fairly quickly creating quite a lot of rules - so
was wondering what the limits are, in terms of max number of rules that can
be created and the impact of very large rule sets on performance.

Does anyone have any 'real-life' experience of rule sets running into the
thousands of rules? If so - do you notice much in the way of a performance
hit?

Someone will ask (I would have done!): 'why not use the iptables "string"
module?' - well it's because it isnt enough enough to safely identify a
Kazaa packet simply by the existance of a string - web pages or ftp
transfers with the same string can also be blocked - and I am after 'safe'
blocking - I dont accept the risk of blocking non-Kazaa traffic in my
attempt to block Kazaa.

Thanks.

Chris

-- 
Real address: chris at lowth dot sea oh em.
GPL e-mail anti-virus: http://protector.sourceforge.net
IPTables wizzards: http://www.lowth.com/LinWiz