On Tue, Jun 22, 2010 at 12:18 PM, Ninad A <ninad_adi@xxxxxxxxx> wrote: > When we block ads or any such things with iptables then there is lot of delay caused for the application to complete as it is expecting the data which has already been dropped. > Packets are dropped at IP Layer but who takes care of the delay caused to the application and how to minimize that delay ? As far as I know, ad blocking is more commonly performed using DNS, by resolving domain names to 127.0.0.1, or to a server to serve up notices of removed content (e.g. in a business environment, users could request that sites be unblocked). Is there a reason why you want to block specific IP addresses instead of domains? Anyway, I suspect that sending back appropriate ICMP error messages instead of DROPing such requests would provide hints to clients that they should give up instead of wait for a reply. --Mike -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
