On Friday 2012-01-27 14:11, Alex Bligh wrote: > >>> I have a legacy application which forwards lots of packets (router, >>> essentially) and uses a lot of sometimes badly written autogenerated >>> iptables rules (about 3,000 of them). >>> >>> I am seeing on a good day high route cache efficiency. Do packets >>> which do not follow the slow path (i.e. cache hits) also cache >>> what iptables rules they hit? Nothing fancy in use bar conn_track. >> >> Whether the route lookup was satisfied by cache or not plays no role >> for Xtables execution. > >Thanks. I don't suppose you know of any work on caching iptables lookups That would not quite work with e.g. matches that change depending on the moonphase, such as -m statistic --mode nth. >or non-linearising lookups? I am thinking of rules in the FORWARD chain which >either select by source prefix or interface (or the destination equivalent) >and if the criterion is met, jump to another rule. Partly by use of ipset. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
