Andrew Suffield wrote: >> Brian J. Murrell wrote: >>> Hrm. How much of the "grunt work" is offloaded from the "firewall" >>> system though? > > And to put a number on that, I find it's usually about a 10:1 > split. The part that's left running on the firewall system appears to > spend almost all its time doing the fork+exec thing for iptables - > once per rule, and fork+exec is a lot slower than people expect. It > could be made faster, but not by running on a different host.
I'm thinking that the big thrust for Shorewall 3.6 will be to have the compiler generate rules in iptables-restore format -- that will make rule activation much faster because it eliminates almost all of the fork+exec overhead. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
