В Срд, 12/03/2008 в 20:24 +0100, bossk пишет: > Hi, > > I have a lot of FORWARD rules to the same IPs and handfull different ports and > I try to increase the overall performance. I have the following ruleset in my > mind to achieve this goal, > > iptables -A FORWARD -d 10.0.0.1 -j next > iptables -A next -p TCP --dport 111 -j next2 > iptables -A next2 -s 10.7.0.1 -j ACCEPT > > This means that I have to traverse 2 chains and than the next2 chain for > finding the right IP. If the sender sends another packet the packet has to > traverse the same chains again. If I instead do a > > iptables -A FORWARD -d 10.0.0.1 -m conntrack --ctstate ESTABLISHED -j ACCEPT > iptables -A FORWARD -d 10.0.0.1 -j next > iptables -A next -p TCP --dport 111 -j next2 > iptables -A next2 -s 10.7.0.1 -m conntrack --ctstate NEW -j ACCEPT > > The following packets just traverse the first rule. > > My question now is are there any drawbacks to do it this way? Or is there > another more convenient way to do it? 1. You can match first packet in the nat table and DROP/ACCEPT there. 2. You may consider using ipset patch, this will allow you to use bindings (IP/port single rule match). Also sets are hashed or in a tree-like structure, depending on what you choose. Also don't forget about RELATED packets. ICMP is not only a PING! -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
