The limitation of network ACL rules

Hi All,

I'm using OpenWrt V18.06.1, and is there any configuration file or specification to know the limitation size of network ACL rules?


Are you asking about firewall usage? Two options, fw3 or you can use raw iptables commands to construct the strategy you want.



Hi Sparks,

Thanks for your information.
Is there any method to get/set the limitation size of firewall ACL rules by fw3 or iptables raw command?
Because i want to know the maximum ACL rules that user can add?


As far as I know, there is no hard limit, depends on your hardware and how many rules you have before performance would start to fall off. How many rules do you think you’ll need /what’s your use case?


If you need more than a couple hundred rules, you're likely to be doing things "wrong"

  • That's too many non-repetitive rules to be able to comprehend, so its unlikely it is working as you expect in all cases
  • If they're repetitive there are probably better ways to express them

Ipsets also make things much simpler, you can test millions of IP addresses in one O(1) rule

1 Like

Hi All,

Thank you for your kindly reply.
I'm using NXP LS1046A chip and based on OpenWrt 18.06.1.
How can i to get the kernel memory size for ACL rules or how to know the standard netfilter capabilities?


Have a quick read of the stackoverflow link that @vgaetera provided above. Per the top answer in that thread, the amount of memory needed per rule is dependent entirely on what the rule does..

But as per Jeff’s comment too, if you have more than a few hundred rules, chances are it’s not going to behave as you expected all the time (ie too complicated / unmaintainable)

I guess it might seem tedious, but it’s so much easier for us to help when the OP provides the full picture,

  1. what you’re trying to do (and why),
  2. and what contrainsts you need/want to work within (and why) ,
  3. plus constraints your required to work within, boss/legal/technical, ( and why, assuming you can share that info )

Can you provide a bit more detail on what you’re trying to accomplish?

1 Like