Hello everyone :) I'm new to the list, so I apologise if I'm do anything that's considered irritating ;)
I work for a (really) small colo provider, and we use Netfilter for accounting and packet interdiction. Basically, we only allow outgoing packets if a) the packet is coming from the MAC address of the customer, and b) if the source IP address of the packet matches one which has been assigned to that MAC address(customer). We only allow incoming packets if they are destined for an IP address of a customer. eth1 is our internal interface(which is connected to our customer's machines), and ext3 is our external interface(which is connected to our T1). So, in the FORWARD chain, all packets coming in via eth1 (which are going to be forwarded, obviously) are sent to the "macs" chain. The "macs" chain has 22 rules (corresponding to the 22 MAC address of our customers), and each rule there jumps to a customer-specific chain (o_cust), which has a variable number of rules. Those rules -j to yet another customer-specific rule(of_cust), if the source IP matches what should be the source IP of that MAC address. of_cust is where we allow customers to have their own (outgoing) firewall rules. As you can see, there is a lot of chain-jumping going on. For packets coming in on ext3, the structure is a bit different but the results are similar. So my question is this: How expensive are these chain jumps? Given the (rather large) number of rules involved, would it make sense to just dump them all in FORWARD? Would that be cheaper in CPU time? Thanks in advance for any thoughts and advice :) (Those who flame can bite me ;) P.S.: I'm asking this for my boss. I like it the way it is, and I'm pretty bloody sure that dumping all those god-damned rules into one chain is gonna kill the poor firewall. But I like to be thorough. Thanks again :) -- ,______________________________________________________________________. | David B. Harris, Systems administrator | http://www.terrabox.com | | [EMAIL PROTECTED], [EMAIL PROTECTED] | http://eelf.ddts.net | |======================================================================| | Clan Barclay motto: Aut agere, aut mori. (Either action, or death.) | `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
msg00530/pgp00000.pgp
Description: PGP signature
