On Thu, 2007-11-01 at 11:05 +0100, Pascal Hambourg wrote: > Matt Zagrabelny a écrit : > > On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote: > > > >>Matt Zagrabelny a écrit : > >> > >>>If so, you can do MAC filtering (performance shouldn't matter as the MAC > >>>address is in the link header) > >> > >>Can you please elaborate about the relationship beween filtering > >>performance and the address layer ? > > > > There is nothing to elaborate on. ;) > > > > The frame contains the MAC address. This is what iptables will be > > looking at. If the box running iptables is on the same network/vlan as > > the rest of the traffic it is expecting to filter, then it will have MAC > > addresses of actual hosts, however, if traffic is coming from a > > different network/vlan then said traffic will have been routed and the > > frame will have changed, thus the MAC address will be the MAC of the > > network boundary, namely the router/gateway. > > Sorry, but I still do not see the point in "performance shouldn't matter > as the MAC address is in the link header". Performance (read : speed) is > mostly related to the number of rules, isn't it ? Okay, I see now. Performance would be related to the number of rules that each packet needs to be tested against not against the criterion of the match. Caveat: perhaps layer7 matching would be slower or using the owner module, I don't know about these modules. -- Matt Zagrabelny - mzagrabe@xxxxxxxxx - (218) 726 8844 University of Minnesota Duluth Information Technology Systems & Services PGP key 1024D/84E22DA2 2005-11-07 Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2 He is not a fool who gives up what he cannot keep to gain what he cannot lose. -Jim Elliot
Attachment:
signature.asc
Description: This is a digitally signed message part
