okay.
from linux man page for iptables:
A firewall rule specifies criteria for a packet, and a target.
If the packet does not match, the next rule in the
chain is the examined; if it does match, then the next rule is
specified by the value of the target, which can be the
name of a user-defined chain or one of the special values ACCEPT,
DROP, QUEUE, or RETURN.
which means for packets matching the rule, duplicates won;t matter but
for packets not matching the rule, each rule will be checked separately.
regards,
aseem.
Rob Sterenborg wrote:
Continuing this post:
Adding a rule multiple times shows multiple entries in
iptables -L output. My question is : does it have any
performance impact on packet processing ?
Yes.
Should not be because as soon as a rule is matched, it should come
out, Right?
Well, what about the other rules that follow the duplicates ? Netfilter
has to check all duplicates before it reaches a rule that is different.
You may not notice the performance hit if you have a small ruleset, but
you will if you have a large one.
Gr,
Rob
--
The end is always good. If it's not good, it's not the end.
