[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: About matching
From:       Jozsef Kadlecsik <kadlec () blackhole ! kfki ! hu>
Date:       2005-04-08 7:18:46
Message-ID: Pine.LNX.4.58.0504080901080.21705 () blackhole ! kfki ! hu
[Download RAW message or body]

Hello,

On Thu, 7 Apr 2005, Wang Jian wrote:

> iptables <match rule 1> -j CONNMARK --set-mark value/mask
> iptables <match rule 1> -j RETURN
>
> How many times the match rule 1 is evaluated when matched? If two, then
> the second time is waste of CPU cycle.
>
> Then think these three
>
> iptables <match rule 1> -j CONNMARK --set-mark value/mask
> iptables <match rule 1> -j CONNMARK --restore --mask mask
> iptables <match rule 1> -j RETURN
>
> Are there any optimization for such case?

No, but what's wrong with a natural subchain called with the condition
<match rule 1>? If the return position should be the chain according to
the original rules above, one could dust off Henrik's goto patch from
pom-ng.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

[prev in list] [next in list] [prev in thread] [next in thread]