[pve-devel] one chain per interface

Alexandre DERUMIER aderumier at odiso.com
Thu May 22 16:02:44 CEST 2014


>>I wonder why it is necessary to us a separate IN/OUT chain for each interface – can’t we 
>>assemble one IN and one OUT chain to handle all rules (using -i and -o tests)? 

I think it's really a bad idea, because you need to parse each rules of each interfaces if your interface is at the end of the list.

example: 60tap with 10 rules, and we check last tap and last rule

current implementation:

60 chains to test + 10 rules


using a common IN|OUT chain:

600 rules to test


(and this can be even worst with a lot of rules by tap)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Jeudi 22 Mai 2014 15:35:25 
Objet: one chain per interface 



I wonder why it is necessary to us a separate IN/OUT chain for each interface – can’t we 
assemble one IN and one OUT chain to handle all rules (using -i and -o tests)? 


More information about the pve-devel mailing list