[Firehol-support] Startup time

Costa Tsaousis costa at tsaousis.gr
Sat Oct 15 09:43:28 CEST 2005


Hi,

As you have noticed more than half of the time spent by FireHOL is the 
"activation" phase of the firewall. What FireHOL does during this time 
is calling /sbin/iptables hundreds or thousands of times in order to 
insert the firewall into the kernel. This time will not get better even 
if FireHOL was written in C. Of course, we could change the code 
generation of iptables to produce iptables-restore compatible files 
which are inserted into the kernel much faster. This however would 
require much more code in FireHOL, since the iptables command is a lot 
"smarter" than iptables-restore (today FireHOL passes many parameters to 
iptables as they are given in the config. This means it knows nothing 
about them. Bypassing the iptables command, means FireHOL should be 
aware of all these parameters).

For the other processing time, I think that FireHOL will loose all its 
beatty if it is not so tightly integrated with the shell. Even if we 
wanted to speed it up with C code, only some of the core could be 
rewritten to this language (still allowing the configuration to be a 
shell script), which would give us just 10-20% less time.

I believe there is no meaning to put this effort to gain just 10-20%. It 
will be slow after that too.

Thomas Arendsen Hein wrote:

>* Carlos Rodrigues <carlos.efr at mail.telepac.pt> [20051014 18:25]:
>  
>
>>BTW, on another note, even on an Athlon 1800+, with my rules FireHOL 
>>takes some 20 seconds to start (much better than the 1.5 minutes it 
>>takes on my home Pentium 133 gateway :)).
>>    
>>
>
>I remember that someone mentioned a tool on this list which can
>generate the differences between two iptables rulesets and build a
>script with the necessary insert/delete commands to change a running
>firewall with a minimum of iptables calls.
>
>This way the ruleset can be generated on a fast machine and be
>transfered to the (often not so fast for a good reason) firewall
>host.
>
>Unfortunately I can't find it at the moment.
>
>  
>
>>Startup time isn't that important (and is certainly irrelevant compared 
>>to the "amazingness" of FireHOL), but I was wondering if there are any 
>>plans (although not for the near future) to speed things up by maybe 
>>recoding some internals in C or some other faster-than-bash-scripting 
>>language.
>>    
>>
>
>I'd prefer a Python based solution for this :)
>
>Thomas
>
>  
>





More information about the Firehol-support mailing list