Hi, >What percentage of the incoming packets in your test matched the DROP >rule?
100% in my testing environment. In production during DDoS, probably 99% or so. >What other rules do you have in the mangle table? None (except the ones shorewall created). Best regards, Stefan Behte -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: Sat 11/2/2013 16:40 To: [email protected] Subject: Re: [Shorewall-devel] Shorewall DROP performance On 11/2/2013 3:38 AM, Stefan Behte wrote: > Hi, > >>I think the pertinent question is: are you sure that the positioning of >>the DROP rule at present is actually causing a performance issue, and if >>so, how did you work that out? > > Yes, I'm sure, I've run several tests. I had the DROP rule on top of my > ruleset and checked if it matched the packets (iptables -nvxL), which it > did. > I then added the exact same rule to the mangle table and checked if the > packets get dropped there, which they did. I measured performance of the two > different rulesets with several tools, e.g. ifpps and found that the > DROP performance in the mangle table is WAY better. > What percentage of the incoming packets in your test matched the DROP rule? What other rules do you have in the mangle table? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
<<winmail.dat>>
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
