Re: [PATCH 0/3] netfilter : 3 patches to boost ip_tables performance

From: Henrik Nordstrom
Date: Tue Sep 27 2005 - 19:26:13 EST


On Tue, 27 Sep 2005, Andi Kleen wrote:

That could be special cased and done lockless, with the counting
done per CPU.

It's also not very hard for iptables when verifying the table to conclude that there really isn't any "real" rules for a certain hook and then delete that hook registration (only policy ACCEPT rule found). Allowing you to have as many ip tables modules you like in the kernel, but only using the hooks where you have rules. Drawback is that you loose the packet counters on the policy.

Exception: iptable_nat. Needs the hooks for other purposes as well, not just the iptable so here the hooks can not be deactivated when there is no rules.

Regards
Henrik
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/