I have an optimization question regarding iptables: Will a rule that matches all packets and jumps to a defined but empty table be processed? And if so, how much overhead is involved with jumping to an empty table? For example, assume that I am starting with a totally empty set of rules. Then I add these rules: -t filter -N empty_chain -t filter -A INPUT -j empty_chain I tested this myself and used "iptables -t filter -L -n -v" and could see that the number of packets and bytes were increasing on the "INPUT -j empty_chain" rule, so I assume that means it is being processed. The empty_chain chain has no rules, so there was no packet/data information. What kind of overhead is involved here? Is there any optimization performed internally when a chain is known to be empty? Some of you may be curious why in the world I would want to do this. Here is the (way simplified) scenario: I have a process that manages the iptables rules. It generates a file that can be loaded with iptables-restore. Under normal circumstances, this process is the authority for iptables rules. But, there may be some situations where a cron job needs to add a temporary override. I had originally planned to have an empty chain named "overrides" along with a corresponding rule at the top of the filter/INPUT chain that would jump to the overrides chain. All other regular rules would follow the "overrides" jump rule. *Please ignore any security issues you might imagine for now. I'm over simplifying the situation for this example. When an override is required, like "allow all UDP destined for port 1234", the cron job could run a simple "iptables -t filter -A overrides -p udp -m udp --dport 1234 -j ACCEPT". When the override was no longer needed, it could simply flush the overrides chain. Under normal operation the overrides chain would be empty. I hate to spend overhead processing the "match all jump to overrides" rule. I know the optimal way is really to add and remove the "-j overrides" rule as needed, but the simplicity of the cron job working with just the overrides chain is appealing. So, does anyone with knowledge of the inner workings have an idea about overhead and possible optimization? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
