Hello Open Access Networks Project MidSweden University, for each and every rule executed, iptables checks - source IP - destination IP - source interface - destination interface These four checks are all of the comparator/mask kind, and when a rule does not specify one of them, then a mask is selected that makes the check always match. The checks are still made. The two IP matches need eight byte in the rule (IP/mask), the two interface matches each need a 32-byte interface/mask storage, a whopping two cachelines that need to be read for each rule. This is most likely where you will see the real overhead in accurate timings, once your rules stop to fit the L1 cache of synthetic microtests. Apart from those four matchings, checking for IP protocol, and checking for IP fragmentation bits, is also always executed for each rule. But that's small stuff. Finally, there is a list of additional match criteria, which is only filled when there ARE additional criteria. All matches except the above four, are of this selective type, inclusing MAC address matches. In the source, net/ipv4/netfilter/ip_tables.c, you can find the six fixed checks in the function ip_packet_match(), called by the core rule/list walking done in ipt_do_table(). best regards Patrick
