From mboxrd@z Thu Jan 1 00:00:00 1970 From: hewa0000@student.mh.se Subject: Rule matching question [iptables code structure] Date: Tue, 06 May 2003 14:56:45 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Return-path: Content-language: sv Content-Disposition: inline Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org [Please mail us personally (oan@itm.mh.se) as well as mailing the list since we are not members of this mail-list] We have a quite difficult question for all you elite people.... =) When we add a rule to iptables that filter on MAC-address (or IP address and port for that matter). Does iptables ONLY check for the MAC-address option (alas in that case we filter on MAC-address)?. Based on a the report "Performance analysis of the Linux firewall on a host" by James Harris and Americo J. Melara. It is stated that for each check if the MAC-address in the rule match the given MAC-address, the Iptables-algorithm ALWAYS checks all possibilities (MAC-address, IP, Port, Protocol, Interface..). Does anyone know this to be the truth? We are currently working on a big project where we use big lists of rules that are based on MAC and IP-addresses. And we are trying to understand why these lists of rules crave so much computation power to execute. If Iptables always run a check for every possible way to match our packet with a single rule (ip,mac,protocol,interface...) it consumes alot more (actually we belive it to be around 6 times as much according to the nature of the algorithm) as necessary. Optimally the algorithm would ONLY check for a MAC-Address match if that is what we are filtering on. We truly hope this also is the case. But please, someone who knows this :-) : Answer us! Sincerly, Open Access Networks Project MidSweden University. oan@itm.mh.se