[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why not have firewall rules by default?

On Fri, 25 Jan 2008, Török Edwin wrote:
> If it is 2.6, I suggest you to contact the netfilter mailing list [1],
> and show them your firewall rules,

What makes you think they don't know about this?  It is a design detail of
the way netfilter is implemented, and the two methods of acceleration I
mentioned (ip sets and hipac) are linked in the front page of

Hashes and other ways of making the packet travel a tree of tables instead
of a single very long one is just an obvious way to optimize it from

> with speed measurements on real workload.

There are papers on these, also linked (indirectly, I believe) from
www.netfilter.org.  I have read at least one by the ip set guys, and another
from the hipac guys about one year ago.  I expect the netfilter.org crew
actually *write* such papers when they are bored, there is no way they don't
know about it.  It is a trade-off on code complexity or some such.

And standard netfilter *is* good enough for most uses, plus with the way CPU
power is increasing, it is likely to remain good enough for most uses for
quite a while yet.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: