On 10/30/2012 09:05 AM, Simon Hobson wrote: > Tom Eastep wrote: > >> When you use an IFB, you must use filters (/etc/shorewall/tcfilters) to >> do the classification of inbound traffic. There is no Netfilter hook >> prior to the traffic being passed to the IFB, so tcrules in any form >> won't work. >> >> For outbound traffic, your tcrules approach works fine. It also works >> fine if you continue to do the shaping on your internal interface rather >> than on an IFB. > > Ah, so decision time then > > I'll probably stick with IFB since I'm also looking at potentially > adding an additional internal interface in the future. But I'll have > to have a chat with others first and see where things are likely to > go before I finalise that. > > Which do you think is likely to be most efficient - CPU load wise ? > tcrules as I've been looking at (and don't use IFB), or tcfilters as > I've been doing them up till now ? > > In particular, I'm thinking about the case where I might have <some > number> of IP addresses to include in one set of classes - so > potentially duplicating "address <something> and port <something>" > rules many times in tcfilters. The particular group that's in mind at > the moment is about 16 discrete IPs (not a simple address/mask set). >
With your tcrules approach, you only have to evaluate the long list of tcrules once for any given connections (because you are using SAVE/RESTORE). With tcfilters, you have to evaluate them on every packet. So the tcrules approach is definitely a win from a CPU utilization perspective. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
