The limitation of network ACL rules

joeylee · March 8, 2019, 7:46am

Hi All,

I'm using OpenWrt V18.06.1, and is there any configuration file or specification to know the limitation size of network ACL rules?

Thanks

Sparks · March 8, 2019, 10:03am

Are you asking about firewall usage? Two options, fw3 or you can use raw iptables commands to construct the strategy you want.

Doco https://openwrt.org/docs/guide-user/firewall/start

joeylee · March 11, 2019, 11:29am

Hi Sparks,

Thanks for your information.
Is there any method to get/set the limitation size of firewall ACL rules by fw3 or iptables raw command?
Because i want to know the maximum ACL rules that user can add?

Thanks.

Sparks · March 11, 2019, 2:19pm

As far as I know, there is no hard limit, depends on your hardware and how many rules you have before performance would start to fall off. How many rules do you think you’ll need /what’s your use case?

vgaetera · March 12, 2019, 2:58am

jeff · March 12, 2019, 4:11am

If you need more than a couple hundred rules, you're likely to be doing things "wrong"

That's too many non-repetitive rules to be able to comprehend, so its unlikely it is working as you expect in all cases
If they're repetitive there are probably better ways to express them

dlakelan · March 12, 2019, 4:20am

Ipsets also make things much simpler, you can test millions of IP addresses in one O(1) rule

joeylee · March 12, 2019, 6:50am

Hi All,

Thank you for your kindly reply.
I'm using NXP LS1046A chip and based on OpenWrt 18.06.1.
How can i to get the kernel memory size for ACL rules or how to know the standard netfilter capabilities?

Thanks,

Sparks · March 12, 2019, 10:11am

Have a quick read of the stackoverflow link that @vgaetera provided above. Per the top answer in that thread, the amount of memory needed per rule is dependent entirely on what the rule does..

But as per Jeff’s comment too, if you have more than a few hundred rules, chances are it’s not going to behave as you expected all the time (ie too complicated / unmaintainable)

I guess it might seem tedious, but it’s so much easier for us to help when the OP provides the full picture,

what you’re trying to do (and why),
and what contrainsts you need/want to work within (and why) ,
plus constraints your required to work within, boss/legal/technical, ( and why, assuming you can share that info )

Can you provide a bit more detail on what you’re trying to accomplish?