Tom Eastep wrote: > > Which do you think is likely to be most efficient - CPU load wise ? > > tcrules as I've been looking at (and don't use IFB), or tcfilters as > > I've been doing them up till now ? > > >> In particular, I'm thinking about the case where I might have <some >> number> of IP addresses to include in one set of classes - so >> potentially duplicating "address <something> and port <something>" >> rules many times in tcfilters. The particular group that's in mind at >> the moment is about 16 discrete IPs (not a simple address/mask set). >> > >With your tcrules approach, you only have to evaluate the long list of >tcrules once for any given connections (because you are using >SAVE/RESTORE). With tcfilters, you have to evaluate them on every >packet. So the tcrules approach is definitely a win from a CPU >utilization perspective.
That's what I thought. I think it will also be easier to maintain - not necessarily for me, I always have to consider whoever is "lucky" enough to take over if I move on. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
