On Sep 23, 2005, at 13:47:53, Eric Dumazet wrote:
Harald Welte a écrit :
I see a contradiction in your sentence. "a new ip_tables is
loaded" every time a user changes a single rule. There are
numerous setups that dynamically change the ruleset (e.g. at
interface up/down point, or even think of your typical wlan
hotspot, where once a user is authorized, he'll get different rules.
But a user changing a single rule usually calls (fork()/exec()) a
program called iptables. The underlying cost of all this, plus
copying the rules to user space, so that iptables change them and
reload them in the kernel is far more important than an
hypothetical vmalloc_node() performance problem.
Yeah, if you're really worried about the cost of iptables
manipulations, you should probably write your own happy little C
program to atomically load, update, and store the rules. Even then,
the cost of copying the whole ruleset to userspace for modification
is probably greater than that of memory allocation issues, especially
if the ruleset is large enough that memory allocation issues cause
problems :-D
Cheers,
Kyle Moffett
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$ L++++(+
++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+ PGP+++ t+(+
++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r !y?(-)
------END GEEK CODE BLOCK------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
| |
 |