On Thu, Sep 11, 2003 at 09:40:46PM -0400, jamal wrote:
> Harald,
>
> Could you not resolve all the ifindices of the said ppp+ interfaces
> at rule installation time and do an integer compare instead?
No, this is a different semantic. Ifindexes change when an interface
goes down and comes up again (let's say you have a PPTP tunnel server
which terminates a couple of ppp* interfaces).
What could be done, is register with the netdev notifiers and then at
every ifup/ifdown event change the ifindex[es] in all rules that use
this style of match.
This is what was done in the 2.2 ipchains code, if I am not mistaken.
However, Rusty went for the string-compare solution while implementing
iptables.
Imagine somebody with lots of ppp interfaces (let's say 40)... and we
would need to resolve all 40 into ifindexes, put them into an array...
how big would you like to make the array? how many interfaces do people
have? how much space do you want to waste (dynamically reallocating this
space while the ruleset is already loaded is not possible).
And then you have 1000 rules, each of it using a ppp* style match. than
at every ifdown/ifup you iterate over 1000 rules, checking if you need
to update one of the 40 ifindexes? quite slow...
> cheers,
> jamal
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
pgpRsO1KZIrjb.pgp
Description: PGP signature
|