Response time of Iptables

[dave-mlist@bfnet.com]

Me> Assume that both packets come from the same IP address, and packet A
Me> matches a pattern for some evil activity.  Assume that our logic
Me> matches packet A and recognizes the evil activity with negligible
Me> computing time.
Me> 
Me> ** Is it possible to change the Iptables rules fast enough to deny IP
Me> packet B access?

PR> In the current networking infrastructure, yes.  It won't be on SMP
PR> boxen in 2.5 (it may be processed on the other CPU).  Of course, you
PR> can force serialization inside your extention if you want to, using
PR> spinlocks.

Are you saying that I need to force serialization in an extension in
order to guarantee that any change I make as a result of packet A gets
registered before packet B is processed?

Dave