On 01/02/2011 04:57 PM, Genes MailLists wrote: > On 01/02/2011 06:16 AM, Thomas Woerner wrote: >> On 12/27/2010 08:42 PM, Casey Dahlin wrote: > >>>> Can I ask a stupid question? Does dbus have the kind of performance >>>> necessary to support this type of application? >>>> >>> >>> What kind of performance do you think is necessary? Its just a >>> configuration interface, its not like its pushing all your packets >>> through dbus or asking the bus every time it needs to make a routing >>> decision (or did I miss something? I'd certainly hope not). >>> >>> --CJD >> >> There will be an optional firewall mode, where you can define firewall >> features, the user will be asked about, but this will be limited to new >> connection attempts and not all packets in an established connection. >> > > I have no idea how you're implenting this - but if you're using > iptables to change the rules the performance can be truly awful when you > have more than a few rules. (I have a lot of rules on our primary border > firewall). > > I switched to iptables-restore and got 2 orders of magnitude speedup > (yes that is indeed over 100 times faster!!) - something to consider. I think iptables-restore uses libiptc to manipulate the rules. The problem is that according to the netfilter FAQ libiptc isn't officially supported but I asked about that on the mailing list. I've always wondered how to properly manipulate iptables rules from say C/C++ (or any "not shell" language) in a safe manner. Regards, Dennis -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
