Hi,
>I think the pertinent question is: are you sure that the positioning of
>the DROP rule at present is actually causing a performance issue, and if
>so, how did you work that out?
Yes, I'm sure, I've run several tests. I had the DROP rule on top of my ruleset
and checked if it matched the packets (iptables -nvxL), which it did.
I then added the exact same rule to the mangle table and checked if the packets
get dropped there, which they did. I measured performance of the two
different rulesets with several tools, e.g. ifpps and found that the DROP
performance in the mangle table is WAY better.
Best regards,
Stefan Behte
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
