Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965207AbVI1AZr (ORCPT ); Tue, 27 Sep 2005 20:25:47 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751171AbVI1AZq (ORCPT ); Tue, 27 Sep 2005 20:25:46 -0400 Received: from marasystems.com ([83.241.133.2]:40086 "EHLO filer.marasystems.com") by vger.kernel.org with ESMTP id S1751167AbVI1AZp (ORCPT ); Tue, 27 Sep 2005 20:25:45 -0400 Date: Wed, 28 Sep 2005 02:25:16 +0200 (CEST) From: Henrik Nordstrom To: Andi Kleen cc: Harald Welte , netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 0/3] netfilter : 3 patches to boost ip_tables performance In-Reply-To: <200509271823.19365.ak@suse.de> Message-ID: References: <432EF0C5.5090908@cosmosbay.com> <200509221503.21650.ak@suse.de> <20050923170911.GN731@sunbeam.de.gnumonks.org> <200509271823.19365.ak@suse.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 933 Lines: 23 On Tue, 27 Sep 2005, Andi Kleen wrote: > That could be special cased and done lockless, with the counting > done per CPU. It's also not very hard for iptables when verifying the table to conclude that there really isn't any "real" rules for a certain hook and then delete that hook registration (only policy ACCEPT rule found). Allowing you to have as many ip tables modules you like in the kernel, but only using the hooks where you have rules. Drawback is that you loose the packet counters on the policy. Exception: iptable_nat. Needs the hooks for other purposes as well, not just the iptable so here the hooks can not be deactivated when there is no rules. Regards Henrik - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/