>In short: rules are scanned sequentially in the order they appear in a chain, >until a full match meets a terminating target. For each rule checked, source >and destination interface and IP addresses are _always_ checked (even if >not specified / visible in the rule), and any type of "-p" and "-m" match >is checked after interface/addresses matched. Thus, IP addresses alone are >faster than IP addresses plus TCP ports - the latter is already a "special >case" the way things are implemented.
Good! Thanks a lot!! And I also have looked at the source and made a diaram to track what's going on and now I >BTW, there's an IMHO not insignificant optimization potential given by the >current always-match-both-interfaces logic. For each rule, the information >about the interfaces to check, takes two full 32 byte cache lines on P-III, >for each rule. Lots of rules don't reference interfaces at all, but neverthe- >less the check loop needs to touch those cache lines. Thanks for your prompt response. Sorry, but you caught me offguard on this last paragraph. I don't quiet understand what you're talking about here, I know that you extended your explanation but still . where can I find more info about this to understand it better? >So, if your analysis includes a part where you make a small modification >giving a good measurable impact, I'd propose you see how to give two >bits saying "check source interface / destination interface" to each rule, >and only touch those cachelines when the bits are set. --- cachelines ?? --- what do you mean? You mean rules that look something like this: iptables -P INPUT ACCEPT iptables -A INPUT -i eth0 -s X.X.X.X -j DROP (... add more rules to 'filter_eth' chain ) Hold on! doing this will make iptables run through the algorithm twice, right? - because it would jump to 'ip_packet_match( )', - run the IP address code first (and find no match), - then the interface (find the match), - and then jump again to 'ip_packet_match( )' to find matches for IP addrss ...so we are going through the code twice, correct? Is that what we are looking for? What about just? (example 2) iptables -P INPUT DROP iptables -A INPUT -i eth0 -j ACCEPT Is it better if I try it like this? just to test how long that piece of code takes? Thank you, Americo PS: after that test I would add your patch and test everything over again without checking of "source or destination interface", correct!?
