Re: iptables -A or iptables -I?
On Tue, 2004-10-19 at 19:07 +0200, Martin G.H. Minkler wrote:
> The effect certainly is, I was just wondering how the appendage or
> insertion of another rule worked 'under the hood'.
AAhhh.... i get it :-)
Knowing that to insert an element at the end of a list, in pseudocode:
- create_new_element(n)
- link_element(list, n)
And inserting an element at the beggining of a list:
- create_new_element(n)
- newlist = create_new_list(number_of_elements(list+1))
- link_element(newlist,n)
- copy_elements(newlist,list,1,number_of_elements(n))
So, seems quicker adding at the end of the list :->
> The background to my question is a 1.4MB IP blacklist I have to block. I
> traverse so that only incoming NEW from $DEV_INET is passing that chain,
> but appending the ruleset (i.e. at boottime) takes roughly 30min.
> So I was wondering whether inserting might be quicker :-)
Blacklisting from what? All services? Mail?
Sometimes it's better a rule from "deny, then allow" then "allow, then
deny". Your case may be the example.
--
Juan Carlos Inostroza O.
Registered Linux User #246002
jci@tux.cl - http://www.tux.cl - http://foros.tux.cl
Blogging for fun _and_ profit : http://jci.codemonkey.cl
"We are just packets in the Internet of Life" -- UserFriendly
Reply to: