Re: REJECT target faster for remote than for local packets?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nils Rennebarth <nils.rennebarth@funkwerk-ec.com>
To: "Humberto Jucá" <betolj@gmail.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: REJECT target faster for remote than for local packets?
Date: Tue, 27 Mar 2012 19:45:15 +0200	[thread overview]
Message-ID: <4F71FCAB.9090208@funkwerk-ec.com> (raw)
In-Reply-To: <CACuyg24vONpi0OSGMsc7MyiZJ_R+fr28KhkYrpBF1fmNKz=XoQ@mail.gmail.com>

On 27.03.2012 19:21, Humberto Jucá wrote:
> Hi,
> 
>>  iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT
> For TCP connections, try to do with "-j REJECT --reject-with tcp-reset".
> Its faster then port unreachable!
Makes no difference here. Takes 3 seconds, exactly the time to the next
SYN packet.

Oh well, that is true for the 2.6.32 kernel. But for the 3.2.0 kernel,
it really does make a difference:

with --reject-with icmp-port-unreachable it takes only 1 second
and with --reject-with tcp-reset the reaction is instantaneous
(i.e. 32ms)

What exactly did change in the kernel and when?

-- 

Mit freundlichen Grüßen / with kind regards

Nils Rennebarth, Software Developer

     prev parent reply	other threads:[~2012-03-27 17:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-27 13:51 REJECT target faster for remote than for local packets? Nils Rennebarth
2012-03-27 17:21 ` Humberto Jucá
2012-03-27 17:45   ` Nils Rennebarth [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F71FCAB.9090208@funkwerk-ec.com \
    --to=nils.rennebarth@funkwerk-ec.com \
    --cc=betolj@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.