Response time of Iptables
Paul Rusty Russell
Paul.Russell@rustcorp.com.au
Sun, 24 Oct 1999 11:12:10 +1000
In message <m3iu41c43h.fsf@knave.bfnet.com> you write:
> Assume that both packets come from the same IP address, and packet A
> matches a pattern for some evil activity. Assume that our logic
> matches packet A and recognizes the evil activity with negligible
> computing time.
>
> ** Is it possible to change the Iptables rules fast enough to deny IP
> packet B access?
In the current networking infrastructure, yes. It won't be on SMP
boxen in 2.5 (it may be processed on the other CPU). Of course, you
can force serialization inside your extention if you want to, using
spinlocks.
> ** Is it still possible to change the Iptables rules before any more
> packets from the same soure are accepted?
Sure.
Enjoy,
Rusty.
--
Hacking time.