On Tuesday 2010-09-14 17:14, Data Shock wrote: >I have an optimization question regarding iptables: Will a rule that >matches all packets and jumps to a defined but empty table be >processed? And if so, how much overhead is involved with jumping to an >empty table? Jumping to arbitrary tables is not within the design. >-t filter -N empty_chain >-t filter -A INPUT -j empty_chain That is a chain, not a table. And yes, it is processed including overhead, as is done in many other kernel subsystems. The kernel really is not responsible for the user's misdeeds. not use empty chains :) >When an override is required, like "allow all UDP destined for port >1234", the cron job could run a simple "iptables -t filter -A overrides >-p udp -m udp --dport 1234 -j ACCEPT". When the override was no longer >needed, it could simply flush the overrides chain. > >Under normal operation the overrides chain would be empty. I hate to >spend overhead processing the "match all jump to overrides" rule. I'd say benchmark it before calling it a problem. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html