Americo,
one thing that would interest me, if you could produce a comparison:
if your test rules don't contain input or output device (-i or -o)
specifications, could you compile net/ipv4/netfilter/ip_tables.c
with the patch below applied? This removes any checking for the
devices. I suspect a measurable influence on rule check latency,
and would be glad if you could substantiate (or refute) that feeling.
best regards
Patrick
--- ip_tables.c Sat Mar 2 14:48:53 2002
+++ /tmp/ip_tables.c Sun Mar 17 11:12:01 2002
@@ -149,6 +149,7 @@
return 0;
}
+#if 0
/* Look for ifname matches; this should unroll nicely. */
for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
ret |= (((const unsigned long *)indev)[i]
@@ -175,6 +176,7 @@
ipinfo->invflags&IPT_INV_VIA_OUT ?" (INV)":"");
return 0;
}
+#endif
/* Check specific protocol */
if (ipinfo->proto
