Harald Welte's blog

libiptc2 woes

After quite some time, a posting on the netfilter-devel list reminded me of my unfinished work on libiptc2. The problem with old libiptc is, that it has a n^2 complexity when adding rules to an in-memory ruleset. This slows down the time for iptables-restore with large rulesets.

Old libiptc has a so-called chain cache that contains pointers to the start of each chain within the ruleset blob. This chain cache has to die, and libiptc2 needs a totally separate representation of the ruleset. Every rule as a malloc()ed chunk of memory, put into a linked list (which builds a chain, which are in turn linked lists). Only at the iptc_commit() stage this libiptc-internal representation is compiled into the ruleset blob.

Let's hope Andre Uratsuka Manoel will find the time to continue this work, since I really don't even know to start with my ever-growing TODO list :(

Harald Welte's blog

	RSS Harald's Web gnumonks.org hmw-consulting.de sysmocom.de Projects OpenBSC OsmocomBB OsmocomTETRA deDECTed.org gpl-violations.org gpl-devices.org OpenMoko gnufiish OpenEZX OpenBeacon OpenPCD librfid openmrtd opentom.org netfilter/iptables Categories Root (1072) ccc (26) dect (2) electronics (19) gsm (123) osmocom-bb (7) knf (4) linux (697) a780 (39) conferences (127) cyberjack (4) gnuradio (5) gpl-violations (138) gspc (6) mobile (29) mrtd (35) netfilter (117) openmoko (52) opentom (7) samsung (1) via (23) misc (18) osmocom (7) personal (111) bollywood (17) taiwan (3) photography (9) politics (30) swpat (3) tetra (3) Archives 2012 (18) May (1) April (2) March (8) February (1) January (6) 2011 (47) December (2) November (3) October (3) September (3) August (1) July (5) June (9) May (5) April (6) March (3) February (2) January (5) 2010 (96) 2009 (146) 2008 (106) 2007 (53) 2006 (154) 2005 (248) 2004 (198) 2003 (5) 2002 (1) Other Bloggers David Burgess Zecke Dieter Spaar Michael Lauer Stefan Schmidt Rusty Russell David Miller Martin Pool Jeremy Kerr Tim Pritlove (German) fukami (German) fefe (German) Bradley M. Kuhn Lawrence Lessig Kalyan Varma Aggregators kernelplanet.org planet.netfilter.org planet.openezx.org planet.openmoko.org planet.foss.in identi.ca twitter flattr Linked in Xing Articles on this blog/journal are licensed under a Creative Commons Attribution-NoDerivs 2.5 License. Contact/Impressum	Wed, 07 Jan 2004 libiptc2 woes After quite some time, a posting on the netfilter-devel list reminded me of my unfinished work on libiptc2. The problem with old libiptc is, that it has a n^2 complexity when adding rules to an in-memory ruleset. This slows down the time for iptables-restore with large rulesets. Old libiptc has a so-called chain cache that contains pointers to the start of each chain within the ruleset blob. This chain cache has to die, and libiptc2 needs a totally separate representation of the ruleset. Every rule as a malloc()ed chunk of memory, put into a linked list (which builds a chain, which are in turn linked lists). Only at the iptc_commit() stage this libiptc-internal representation is compiled into the ruleset blob. Let's hope Andre Uratsuka Manoel will find the time to continue this work, since I really don't even know to start with my ever-growing TODO list :( [ /linux/netfilter \| permanent link ]