new netfilter user question
Patrick Schaaf
bof@bof.de
Sun, 29 Jul 2001 19:18:15 +0200
> > Exactly. You lose NAT in all its variants, and you lose the '-m state'
> > match in the filter chains. Normal per-packet filter table, and mangle
> > table stuff should work fine.
>
> What is generally better performing? Not loading ip_conntrack and just using
> ipchains like filters, OR using ip_conntrack and the state module in rules?
I strongly doubt that you could tell the difference for most real life
workloads and ruleset complexity. However, doing a proper comparison
appears impossible: how would you implement the "same semantics" with
both models? Without equality in semantics, performance comparisons
become somewhat apples to oranges.
The best you can do - and only you can do that - is implement the policy
you want both ways, and run comparisons in your real work environment.
If you use kernel profiling, and run one or the other variant each for
one week, you should get pretty reliable results. I'd love to see them,
especially if they show that my first assumption in the first paragraph
is wrong.
best regards
Patrick