On Mon, 2015-01-12 at 17:32 +0100, Jan Engelhardt wrote: > On Monday 2015-01-12 17:04, Eric Dumazet wrote: > > > >iptables should have used ifindex [for interface matching], > >it[']s sad we allowed the substring match in first place. > > How would you solve interface name wildcards with ifindices? > (They come in handy if you have something like lots of tun+/veth+ > interfaces from openvpn/lxc.) This is what I said : "it[']s sad we allowed the substring match in first place." This obviously referred to wildcards, in the in/out interface match for every _single_ rule, consuming 64 bytes of memory per rule and per cpu ! Which is absolutely crazy in term of memory usage. Matching tun+ or whatever could easily be done by a match (-m ...), because you can factorize this quite easily (called once for a group of rules) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
