[pve-devel] one chain per interface
Alexandre DERUMIER
aderumier at odiso.com
Thu May 22 16:02:44 CEST 2014
>>I wonder why it is necessary to us a separate IN/OUT chain for each interface – can’t we
>>assemble one IN and one OUT chain to handle all rules (using -i and -o tests)?
I think it's really a bad idea, because you need to parse each rules of each interfaces if your interface is at the end of the list.
example: 60tap with 10 rules, and we check last tap and last rule
current implementation:
60 chains to test + 10 rules
using a common IN|OUT chain:
600 rules to test
(and this can be even worst with a lot of rules by tap)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Jeudi 22 Mai 2014 15:35:25
Objet: one chain per interface
I wonder why it is necessary to us a separate IN/OUT chain for each interface – can’t we
assemble one IN and one OUT chain to handle all rules (using -i and -o tests)?
More information about the pve-devel
mailing list