On Fri, Mar 08, 2013 at 08:52:37PM +0100, Jan Engelhardt wrote: > > On Friday 2013-03-08 20:14, Jim Mellander wrote: > > > >In the HPC world, and in network intrusion detection, network > >performance is paramount. We've found that just having the iptables > >kernel module loaded without any ruleset substantially reduces > >performance at high traffic rates. > > This one is a known issue with ip_tables/x_tables, and solved in > xtables2 where you can deallocate the base chains when empty -- (more > accurately, they do not exist by default and need to be created first) > -- given finer control over what is being executed. Just for the record: this idea was initially introduced by nftables back in 2009. Regards. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
