There has been mention of a possible performance impact several times but no evidence presented to prove that. Is there data that shows there *is* performance impact or is there just an assumption that there would be ?
If there is evidence please provide it, if there isn't then please do the testing. I think this case should be considered to be in "waiting need spec" until we know for sure if there actually is a performance impact or not. As for why ipfilter is disabled by default that dates back to when the pfil module was used and that had a much more significant impact than anything the hooks could be doing because it impacted Fireengine. I think (though not this case) it would be worth re considering if ipfilter should always be enabled (and again not this case) if a default rule set should be provided (SBD actually wanted to do this). -- Darren J Moffat
