Rule matching question [iptables code structure]

[hewa0000@student.mh.se]

[Please mail us personally (oan@itm.mh.se) as well
as mailing the list since we are not members of this
mail-list]

We have a quite difficult question for all you elite
people.... =)
 
When we add a rule to iptables that filter on
MAC-address (or IP address and port for that
matter). Does iptables ONLY check for the
MAC-address option (alas in that case we filter on
MAC-address)?.

Based on a the report "Performance analysis of the
Linux firewall on a host" by James Harris and
Americo J. Melara. It is stated that for each check
if the MAC-address in the rule match the given
MAC-address, the Iptables-algorithm ALWAYS checks
all possibilities (MAC-address, IP, Port, Protocol,
Interface..). 
Does anyone know this to be the truth?

We are currently working on a big project where we
use big lists of rules that are based on MAC and
IP-addresses. And we are trying to understand why
these lists of rules crave so much computation power
to execute.

If Iptables always run a check for every possible
way to match our packet with a single rule
(ip,mac,protocol,interface...) it consumes alot more
(actually we belive it to be around 6 times as much
according to the nature of the algorithm) as necessary. 

Optimally the algorithm would ONLY check for a
MAC-Address match if that is what we are filtering
on. We truly hope this also is the case. But please,
someone who knows this :-) :
Answer us!

Sincerly,
Open Access Networks Project MidSweden University.
oan@itm.mh.se