Re: Why not have firewall rules by default?

On Fri, 25 Jan 2008, Török Edwin wrote:
> If it is 2.6, I suggest you to contact the netfilter mailing list [1],
> and show them your firewall rules,

What makes you think they don't know about this? It is a design detail of the way netfilter is implemented, and the two methods of acceleration I mentioned (ip sets and hipac) are linked in the front page of www.netfilter.org.

Hashes and other ways of making the packet travel a tree of tables instead of a single very long one is just an obvious way to optimize it from userspace.

> with speed measurements on real workload.

There are papers on these, also linked (indirectly, I believe) from www.netfilter.org. I have read at least one by the ip set guys, and another from the hipac guys about one year ago. I expect the netfilter.org crew actually *write* such papers when they are bored, there is no way they don't know about it. It is a trade-off on code complexity or some such.

And standard netfilter *is* good enough for most uses, plus with the way CPU power is increasing, it is likely to remain good enough for most uses for quite a while yet.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org