On Wed, Oct 30, 2002 at 11:46:06PM +0100, Daniel Hartmeier wrote: > On Wed, Oct 30, 2002 at 11:10:18PM +0100, Henning Brauer wrote: > > > Uh well, this sounds like a massive performance penalty... I don't think I > > like that. > > A lookup in an empty list/tree would of course equal a single pointer > comparison, so if someone is not using the feature, there's no > additional cost.
there is, you just wrote it: > A lookup in an empty list/tree would of course equal a single pointer > comparison ;-) > And since the lookup happens after the ordinary state lookup (and only > if that fails), the cost occurs only per connection, not per packet. > Compare to the per packet cost of forwarding the connection through > userland... well. there is additional cost. we need to take care. we start adding little nifty features here and there, and for itself they all don't cost much. a few "doesn't cost much" added together gives a noticeable additional cost. I question that it can be done secure at all. Aside from that: people using ftp-proxy in front of a ftp-server which is not NATed make a fault. it's not needed.