mark_source_chains (was Re: sending this off-list)

[Harald Welte]

On Mon, Nov 12, 2001 at 09:38:36PM +0100, Robert Olsson wrote:
> It seems like mark_source_chains goes thru all possible flows.
> consider something like this scenario:
> 
[...]

> The kernel seem to investigate the "-A post" 4*3*2 times. add more machines
> and rules, and it easily expands to thousands upon thousands, taking up hours
> or weeks of kernel-time when you have a complex set of rules.
> My new patch still detects loops, but it minimizes the number of loops.
> Maybe not the ultimate patch, but I don't want to rewrite it totally.
> Thanks for your great job, whatever you decide to do about this.

First of all: You are right. The Problem is that we have _lots_ of 
traversal at the time you have complex rulesets with lots of chains.

I have discussed this with Rusty, and we cannot accept your patch straight
ahead.  You are optimizing too much:

We can have targets which are only allowed to be called from particular
hooks (like SNAT only in postrouting).  And one of the jobs of mark_source_
chains is to make sure that we don't have a target in a user defined chain
called from a hook where the target is not allowed.

So If I read your code correctly, you would have to re-set the 'beenthere'
to zero at least one time at every hook (inside the respective loop).

This still is an optimization, could you please try to test it and report
to the mailinglist?

thanks.

> Regards
> Robban

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)