Re: [Oscar-devel] pfilter question

[Neil Gorsuch]

Here's the pfilter scoop:

I designed pfilter to produce very efficient rulesets. The first rule in both the INPUT and FORWARD chains is this:

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

What this means is that once any TCP connection is in progress, or once a set of related UDP packets are going back and forth, every packet of those sequences is passed after examining just that single rule. All of the rest of the rules are only looked at (until a match) for the first packets of new or unknown connections. You can't get much more effecient than that. What will eventually happen is that the oscar pfilter package will notice when there is more than one network interface and will ask in the configuration, for those network interfaces that have private style addressing, if each of those network interfaces is a cluster only network, and when answered yes the pfilter rulesets that are generated will say just "trusted ethX ethY" or whatever instead of "trusted node1 node2 ...". And I'll probably also give the installer a configuration question for public addressed interfaces that allows them to specify one or more netmasks to put in a "trusted" line which will swallow specific "trusted node(s)" lines if the node addresses are in one of the trusted netmask ranges. Is that all clear?



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Oscar-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/oscar-devel