Shorewall users - Jun 2010 - A rather stupid question ...

Hello,

  I got this rather stupid question from a customer and I got me stuck
somehow.  It is the kind of question that shows the customer has no
clue at all but that''s OK.

  So the question is: what is the maximum number of policies ?

  At first I was tempted to simply toss it away as in, well, we''ll have
to see how the Perl processing goes and how much RAM it takes to load a
maximum number of policies on a target device.  But then the target
device has at least 4 LAN interfaces, and some 4 to 6 WAN interfaces.
How many policies can you write for such a number of interfaces after
all ?

  Then I got curious a bit of started to think well, if the number of
interfaces were 100 LAN interfaces and 100 WAN interfaces, would that
constitute a basis for an eventual maximum number of policies ?

  So, is there a good answer to such a question ? ;-)

Cheers.

------------------------------------------------------------------------------

El 01/06/10 19:29, lanas escribió:
>   So, is there a good answer to such a question ? ;-)
> 
I have not read the netfilter source code, but I guess the limitations
are your RAM and processing power only.-

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Tue, 01 Jun 2010 19:50:44 -0400,
Cristian Rodríguez <judas_iscariote@shorewall.net> wrote :
> El 01/06/10 19:29, lanas escribió:
> 
> >   So, is there a good answer to such a question ? ;-)
> > 
> 
> I have not read the netfilter source code, but I guess the limitations
> are your RAM and processing power only.-
Yes.  And before being installed at the netfilter/iptables level, the
policies configuration has to be read by shorewall.  I haven't read the
shorewall Perl code so I do not know if there are any limitations in
there, for instance, with a unit that would have 100 LAN and 100 WAN
interfaces.  As asuch, would there be any limitation in the shorewall
code that would prevent it from dealing with a huge number of
interfaces ?


------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

So if you are talking about physical interfaces you rather would not be able
to plug such an amount of nics to your hardware. So I assume that you are
talking about vlans, tunnel or other virtual interface types. 

We have Shorewall running in a specific environment with approx 800 vlan
interfaces and it looks like the hardware is quite bored and hungry for
another 8000 interfaces. And Shorewall has really now problems with it. The
only thing you should keep in mind is that if you have hundrets of
interfaces you will have thousand of rules, policy, interface and else
config entries. This makes Shorewall to need some additional time to
restart. But the longest reload time I ever saw was approx 90 seconds but
this must not have to do with Shorewall only since many many things are
going on in the background if we restart Shorewall. 


Cheers
Michael 


-----Ursprüngliche Nachricht-----
Von: lanas [mailto:lanas@securenet.net] 
Gesendet: Mittwoch, 2. Juni 2010 11:25
An: Shorewall Users
Betreff: Re: [Shorewall-users] A rather stupid question ...

On Tue, 01 Jun 2010 19:50:44 -0400,
Cristian Rodríguez <judas_iscariote@shorewall.net> wrote :
> El 01/06/10 19:29, lanas escribió:
> 
> >   So, is there a good answer to such a question ? ;-)
> > 
> 
> I have not read the netfilter source code, but I guess the limitations
> are your RAM and processing power only.-
Yes.  And before being installed at the netfilter/iptables level, the
policies configuration has to be read by shorewall.  I haven''t read the
shorewall Perl code so I do not know if there are any limitations in
there, for instance, with a unit that would have 100 LAN and 100 WAN
interfaces.  As asuch, would there be any limitation in the shorewall
code that would prevent it from dealing with a huge number of
interfaces ?


----------------------------------------------------------------------------
--

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------

On 6/2/10 2:25 AM, lanas wrote:
> Yes.  And before being installed at the netfilter/iptables level, the
> policies configuration has to be read by shorewall.  I haven''t
read the
> shorewall Perl code so I do not know if there are any limitations in
> there, for instance, with a unit that would have 100 LAN and 100 WAN
> interfaces.  As asuch, would there be any limitation in the shorewall
> code that would prevent it from dealing with a huge number of
> interfaces ?
Shorewall 4.4 has only a couple of architectural limits.

- Maximum of 252 providers.
- Maximum of 255 interfaces in /etc/shorewall/tcdevices unless you
assign class Ids manually.

I have a report from a user of a RHEL5-based system that
iptables-restore would fail when asked to restore more than ~62k rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------