>>Would we gain some performance if we move that test to the start of the >>chain?
small gain I think. (don't known if the cstate invalid should be check before or not) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]>, "pve-devel" <[email protected]> Envoyé: Vendredi 21 Mars 2014 07:47:37 Objet: RE: [pve-devel] pve-firewall benchmark result > -A tap110i0-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs > -A tap110i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT > -A tap110i0-IN -p tcp -j PVEFW-tcpflags > -A tap110i0-IN -m conntrack --ctstate INVALID -j DROP > -A tap110i0-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # move > this to chain start? Would we gain some performance if we move that test to the start of the chain? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
