Hi Wang Jian, On Wed 06 Apr 2005 17:18, Wang Jian wrote: > ... > It depends. You must consider the ruleset size and ruleset pattern. > > For a large ruleset. It is not good to let every packet goes through the > rule and gets matched on some class. Think about 200 rules as an example. > > It is better to have some kind of memory on a flow. If first packet of a > flow is classified as class C1, then it good to remember it and every > following packet of this flow is classified as class C1. > > iptables/netfilter has CONNMARK support, which can be used to remember > an u32 number, and then set packet's mark from this CONNMARK. > > You can use such scheme > > # if the flag is set, then restore connmark to mark > iptables -m connmark --mark value/mask -j CONNMARK --restore-mark --mask > mask Do you know if this mask here is able to match more then one mark? Like if say, to mach the marks range from 10000 (0x2710) to 20000 (0x4e20) the above will be: iptables ... -m connmark --mark 0x2710/0xb1df -j CONNMARK --restore-mask --mask 0xb1df where 0xb1df is (65535 XOR 20000). I guess is just XOR not XOR then +1 (this will give a mask value of 0xb1e0) which I saw in some examples (google) of using the masking bits. > # else, do the various match > iptables <match rule 1> -j CONNMARK --set-mark value/mask > iptables <match rule 1> -j RETURN > iptables <match rule 2> -j CONNMARK --set-mark value/mask > iptables <match rule 2> -j RETURN > it makes a lot of sense (have to review a bit the netfilter/iptables docs to bring myself up to speed) > Using this method, first packet is matched in O(N), but following > packets are matched in O(1). > > So it is good to use iptables CONNMARK + MARK and tc fw filter. > > But, if the ruleset is small, the difference should be small. You then > should choose the better one for you: > > 1. netfilter is more flexible; > 2. tc filter is expected to be a little faster (I am not sure); > Thanks a lot, Adrian _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc