* Is a match-all rule with jump to empty chain processed?
@ 2010-09-14 15:14 Data Shock
2010-09-14 17:57 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Data Shock @ 2010-09-14 15:14 UTC (permalink / raw)
To: netfilter
I have an optimization question regarding iptables: Will a rule that matches all packets and jumps to a defined but empty table be processed? And if so, how much overhead is involved with jumping to an empty table?
For example, assume that I am starting with a totally empty set of rules. Then I add these rules:
-t filter -N empty_chain
-t filter -A INPUT -j empty_chain
I tested this myself and used "iptables -t filter -L -n -v" and could see that the number of packets and bytes were increasing on the "INPUT -j empty_chain" rule, so I assume that means it is being processed. The empty_chain chain has no rules, so there was no packet/data information. What kind of overhead is involved here? Is there any optimization performed internally when a chain is known to be empty?
Some of you may be curious why in the world I would want to do this. Here is the (way simplified) scenario:
I have a process that manages the iptables rules. It generates a file that can be loaded with iptables-restore. Under normal circumstances, this process is the authority for iptables rules. But, there may be some situations where a cron job needs to add a temporary override. I had originally planned to have an empty chain named "overrides" along with a corresponding rule at the top of the filter/INPUT chain that would jump to the overrides chain. All other regular rules would follow the "overrides" jump rule. *Please ignore any security issues you might imagine for now. I'm over simplifying the situation for this example.
When an override is required, like "allow all UDP destined for port 1234", the cron job could run a simple "iptables -t filter -A overrides -p udp -m udp --dport 1234 -j ACCEPT". When the override was no longer needed, it could simply flush the overrides chain.
Under normal operation the overrides chain would be empty. I hate to spend overhead processing the "match all jump to overrides" rule. I know the optimal way is really to add and remove the "-j overrides" rule as needed, but the simplicity of the cron job working with just the overrides chain is appealing.
So, does anyone with knowledge of the inner workings have an idea about overhead and possible optimization?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Is a match-all rule with jump to empty chain processed?
2010-09-14 15:14 Is a match-all rule with jump to empty chain processed? Data Shock
@ 2010-09-14 17:57 ` Jan Engelhardt
2010-09-14 20:34 ` Data Shock
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2010-09-14 17:57 UTC (permalink / raw)
To: Data Shock; +Cc: netfilter
On Tuesday 2010-09-14 17:14, Data Shock wrote:
>I have an optimization question regarding iptables: Will a rule that
>matches all packets and jumps to a defined but empty table be
>processed? And if so, how much overhead is involved with jumping to an
>empty table?
Jumping to arbitrary tables is not within the design.
>-t filter -N empty_chain
>-t filter -A INPUT -j empty_chain
That is a chain, not a table. And yes, it is processed including
overhead, as is done in many other kernel subsystems. The kernel really
is not responsible for the user's misdeeds. not use empty chains :)
>When an override is required, like "allow all UDP destined for port
>1234", the cron job could run a simple "iptables -t filter -A overrides
>-p udp -m udp --dport 1234 -j ACCEPT". When the override was no longer
>needed, it could simply flush the overrides chain.
>
>Under normal operation the overrides chain would be empty. I hate to
>spend overhead processing the "match all jump to overrides" rule.
I'd say benchmark it before calling it a problem.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Is a match-all rule with jump to empty chain processed?
2010-09-14 17:57 ` Jan Engelhardt
@ 2010-09-14 20:34 ` Data Shock
0 siblings, 0 replies; 3+ messages in thread
From: Data Shock @ 2010-09-14 20:34 UTC (permalink / raw)
To: netfilter
Thank you for your reply.
> Jumping to arbitrary tables is not within the design.
I'm not sure I understand this statement. Can you please elaborate?
> That is a chain, not a table.
Ooops! My mistake. I've been using iptables so much that I find myself mistakenly calling chains "tables". I thought I had checked for that before sending my e-mail. :)
> And yes, it is processed including
> overhead, as is done in many other kernel subsystems. The kernel really
> is not responsible for the user's misdeeds. not use empty chains :)
OK. I thought that the code might optimize and ignore the jump if the chain was empty, as if the rule was simply: "-t filter -A INPUT". This way it would just count the packet and data without needing to process an empty chain, possibly avoiding call stack and other overhead for what is basically a no-op. I have not had a chance to trace the code to find out exactly how it operates.
I appreciate the information.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-14 20:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-14 15:14 Is a match-all rule with jump to empty chain processed? Data Shock
2010-09-14 17:57 ` Jan Engelhardt
2010-09-14 20:34 ` Data Shock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.