On Saturday 2013-03-09 23:10, Pablo Neira Ayuso wrote: >On Fri, Mar 08, 2013 at 08:52:37PM +0100, Jan Engelhardt wrote: >>On Friday 2013-03-08 20:14, Jim Mellander wrote: >>> >>>just having the iptables kernel module loaded without any ruleset >>>substantially reduces performance at high traffic rates. >> >>This one is a known issue with ip_tables/x_tables, and solved in >>xtables2 where you can deallocate the base chains when empty -- (more >>accurately, they do not exist by default and need to be created first) >>-- given finer control over what is being executed. > >Just for the record: this idea was initially introduced by nftables >back in 2009. This is now recorded in the xt2 userdoc, where a section has been added indicating capability origin by date and thereby implementation. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
