[pve-devel] pve-firewall benchmark result
Alexandre DERUMIER
aderumier at odiso.com
Fri Mar 21 12:58:51 CET 2014
>>Would we gain some performance if we move that test to the start of the chain?
small gain I think. (don't known if the cstate invalid should be check before or not)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 21 Mars 2014 07:47:37
Objet: RE: [pve-devel] pve-firewall benchmark result
> -A tap110i0-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
> -A tap110i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
> -A tap110i0-IN -p tcp -j PVEFW-tcpflags
> -A tap110i0-IN -m conntrack --ctstate INVALID -j DROP
> -A tap110i0-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # move this to chain start?
Would we gain some performance if we move that test to the start of the chain?
More information about the pve-devel
mailing list