Iptables can be optimized by putting the mostly used rule on the top such as the known related rule that matches after connection establishment. Also, optimization can be done by using jumps to avoid very long chains. This link shows an example.
My question is about optimizing the rule itself. How the performance will be by adding and/or deleting some checks in a specific rule? What about the order of these checks? For example, this rule:
iptables -A FORWARD -i eth0 -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT
can be rewritten as:
iptables -A FORWARD -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT
Both rules will allow http traffic from specific source to specific destination. Do you think there will be a performance difference between the two? Also, the checks can be re-ordered as:
iptables -A FORWARD -p tcp --dport 80 -s source_ip -d dest_ip -i eth0 -j ACCEPT
Will this also make a difference or iptables will automatically take care of it.
no, as you're just reordering strings that are fed to the command options parser.
and
create system call iptc_append_entry() with the same arguments.
create system call iptc_append_entry() with other ipt_entry struct(without iniface)... I think the performance will not change
Whenever in doubt, enter the
iptablesline you're investigating, and do aniptables-save | lessafterwards.