Hello, Well I am not expert but I think that user chains could improve performance. If you had in total 1000 rules and no user chains, a packet may have to go through 999 rules to find a match or no match. If you broke up your 1000 rules into 25 different user chains a packet would at most have to be matched against 24 user chains and then only be checked against required chains and not other rules. Michael. On Tue, 13 Jul 2004 18:04:43 -0300 Alejandro Flores <alejandro.flores@xxxxxxxxxxxxxxxx> wrote: > Hello there, > > Well, I've been teaching netfilter/iptables for a while, and always > there's someone asking about performance. Normally, they use other kind > of firewall, like cisco pix or checkpoint. Is there any benchmark out > there? > Another point is, how much user-chains can degrade the performance? > IMHO, user chains are simple the best to help you organize and separate > rules in groups. But, how can I measure if it's degrading the > performance? > > Thanks! > Alejandro > > Ps. Sorry my poor english! > > > > > -- Michael Gale Network Administrator Utilitran Corporation
