On Sunday 11 January 2004 11:26 pm, Alex Satrapa wrote:
> Ramin Dousti wrote:
> > One can come up with a btree which should reduce the worst case lookup to
> > a max of 8 lookups for a /24.
>
> It'd be better if netfilter supported some way of either binding rules
> to an interface, or allowing a hashtable-lookup for a "jump" based on IP
> address.
It normally isn't much of a problem, because for most people, using the state
match means that only the first packet of a new connection has to go through
the ruleset looking for a rule to fnd out whether it's ACCEPTed or not - all
future packets for the connection (assuming it gets ESTABLISHED) match on the
very first rule and the whole system is quite efficient.
Of course, if you're not using state matching then the above does not apply,
but this is why statefulness is one of the good bits about netfilter.
Antony.
--
These clients are often infected by viruses or other malware and need to be
fixed. If not, the user at that client needs to be fixed...
- Henrik Nordstrom, on Squid user's mailing list
Please reply to the list;
please don't CC me.
