[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables -A or iptables -I?

On Tue, 2004-10-19 at 19:07 +0200, Martin G.H. Minkler wrote:

> The effect certainly is, I was just wondering how the appendage or 
> insertion of another rule worked 'under the hood'.

AAhhh.... i get it :-)

Knowing that to insert an element at the end of a list, in pseudocode:

- create_new_element(n)
- link_element(list, n)

And inserting an element at the beggining of a list:

- create_new_element(n)
- newlist = create_new_list(number_of_elements(list+1))
- link_element(newlist,n)
- copy_elements(newlist,list,1,number_of_elements(n))

So, seems quicker adding at the end of the list :->

> The background to my question is a 1.4MB IP blacklist I have to block. I 
> traverse so that only incoming NEW from $DEV_INET is passing that chain, 
> but appending the ruleset (i.e. at boottime) takes roughly 30min.
> So I was wondering whether inserting might be quicker :-)

Blacklisting from what? All services? Mail?
Sometimes it's better a rule from "deny, then allow" then "allow, then
deny". Your case may be the example.

Juan Carlos Inostroza O.
Registered Linux User #246002
jci@tux.cl - http://www.tux.cl - http://foros.tux.cl
Blogging for fun _and_ profit : http://jci.codemonkey.cl
"We are just packets in the Internet of Life" -- UserFriendly

Reply to: