[pve-devel] one chain per interface
Dietmar Maurer
dietmar at proxmox.com
Thu May 22 19:21:16 CEST 2014
> >>I wonder why it is necessary to us a separate IN/OUT chain for each
> >>interface – can’t we assemble one IN and one OUT chain to handle all rules
> (using -i and -o tests)?
>
> I think it's really a bad idea, because you need to parse each rules of each
> interfaces if your interface is at the end of the list.
>
> example: 60tap with 10 rules, and we check last tap and last rule
>
> current implementation:
>
> 60 chains to test + 10 rules
>
>
> using a common IN|OUT chain:
>
> 600 rules to test
Oh, got it! Thanks.
More information about the pve-devel
mailing list