On Wed, 22 Jan 2003, Jeremy Enos wrote:
> I hadn't thought of this before... is there any data on the overhead of
> iptables rules? i.e. 20 rules vs 200 rules vs 2000 rules? If it's
> insignificant, I would think it would be best to keep them individually
I agree. But I'd be willing to bet that there's a performance penalty.
I don't have any numbers; does anyone have some time to generate some, or
poke through the iptables code to see what it does?
Disclaimer: I've never looked at the iptables code to know how it works.
I'd be willing to bet that there's linked lists (or arrays) of rules that
are traversed for each packet (or connection setup). So, the more rules
you have, the more time is spent processing each item. That being said,
it all depends on how iptables indexes its rules -- there could be
intelligent lookups such that only relevant rules are examined/invoked for
each packet/connection (vs. searching through all the rules to find the
relevant ones). [shrug]
> assigned as they are now. I say that because once we "group" nodes into
> a mask, there are going to be feature requests for exceptions,
> priorities, overlaps, etc. Eewww. Ick. Running away now.
I agree -- getting in the feeping creatures would not be a good idea.
But if we provide reasonable defaults that cover 70-80% of common
configurations, the remaining 20-30% can go hand-tweak files if they
want/need to.
--
{+} Jeff Squyres
{+} [EMAIL PROTECTED]
{+} http://www.lam-mpi.org/
-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Oscar-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/oscar-devel
