condition for 2.6.16
Massimiliano Hofer
max at nucleus.it
Fri Apr 28 14:44:50 CEST 2006
On Friday 28 April 2006 1:06 pm, Patrick McHardy wrote:
> > I'll set to work on it. I'll need to change the userspace interface,
> > though. The only O(1) way to do it is to store a pointer (or any other
> > id) in the rule itself. I didn't do it in the previous version because I
> > though this was really ugly. I can't find any other match doing a similar
> > thing. Anyway I can do it.
>
> Unfortunately its ugly, but this is a well-known limitation of iptables
> itself. Since its the only way to do certain things, I won't complain
> if this part is ugly :)
OK. This time I warned you. :)
> > On the other hand I can make it a guaranteed O(log n) or average O(1)
> > without meddling the rule descriptor and with compatible userspace. What
> > do you prefer?
>
> How would you achieve O(1) average?
Hash. But it adds complexity to the code and unnecessary complexity is a form
of ugliness.
While we're talking about varying degrees of ugliness, how bad would it be if
I optionally allowed to keep a persistent state across rule removal and
reinsertion (for example whene someone flushes the table and restarts the
firewalling script)?
I concede that this would really be easy to do in userspace, so maybe I'm
answering myself. :)
--
Saluti,
Massimiliano Hofer
Nucleus
More information about the netfilter-devel
mailing list