netfilter efficiency
MauroTablo'
m.tablo at libero.it
Thu Jan 20 18:56:04 CET 2005
Hi all.
My Linux (+ iptables) based firewall has about 90 forward filtering rules, for tcp packets (about 30 rules), udp datagram (about 40 rules) and icmp messages(about 20 rules).
Suppose that it comes a transit tcp packet that doesn't match anyone of my rules. So, the last rule will be applied, because it is the first one that matches the packet (/sbin/iptables -A FORWARD -j DROP)
The question is: iptables confronts the TCP packet with all my 90 rules, or it confronts the packet ONLY WITH rules for tcp packets (-p tcp)?
In other words, is there a function in netfilter that looks up to the protocol type of a transit packet and decides which rules to confront the packet with?
Thank you.
Mauro.
More information about the netfilter-devel
mailing list