Re: [tlug] CPU cycles and packet filtering

[Josh Glover <jmglov@example.com>]

Quoth Godwin Stewart (Thu 2002-12-26 02:17:40PM +0100):
> 
> Just how much CPU power does packet filtering (iptables) suck up?

Very little. See below.

> It's pretty much solved the logs filling up, but I was wondering if passing
> packets through such long chains of rules was wasting more CPU power than
> sendmail kicking in, carrying out its usual checks, logging the error and
> bailing out.
> 
> Bearing in mind that nobody in the above-mentioned countries has any reason
> to send me legitimate e-mail, and if someone does then they have other means
> of getting hold of me, which method is better IYO? Firewall or MTA? The
> processor on which my MTA is running is a Pentium-II 266MHz.

I think your solution is pretty sweet. When you do not have to worry about
users, stopping the packet as low as possible in the TCP/IP stack is going
to be the most efficient solution. You are saving yourself memory accesses
(copying between kernel and application buffers) and processing on the
packet, as it is de-multiplexed. Also, iptables is kernel code, saving you
the overhead of sendmail helper process creation (or forking, not sure how
Sendmail does it), context swaps, the whole nine yards of user-level code
getting run.

My opinion? Stick with your iptables solution.

> Why is it that when you transport something by car it's
> called shipment, but when you transport it by ship it's
> called cargo?

Have you also noticed that you park in a driveway and drive
on a parkway? ;)

--Josh


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.
http://www.incogen.com/

GPG keyID 0x62386967 (7479 1A7A 46E6 041D 67AE  2546 A867 DBB1 6238 6967)
gpg --keyserver pgp.mit.edu --recv-keys 62386967

Attachment: pgp00047.pgp
Description: PGP signature