On Tue, Oct 19, 2004 at 06:42:23PM +0200, Martin G.H. Minkler wrote: > Just out of curiosity - which is faster (what kind of datastructure does > iptables use)? > > a) iptables -A <chain> <rule> > b) iptables -I <chain> 1 <rule> > > Maybe this is rather a kernelspace question and should be directed to > that mailing list?
I attended a speach of one of the netfilter programmers at the LinuxTag last year. He said that the what makes the shell command "iptables" slow is that the whole rules table is copied out of the kernel space, a rule gets added and the whole rules table is written back. They plan to change that in the future so that iptables can directly change the kernel space. So whatever the exact data structure is - copying the whole rules table twice will surely waste more time than optimizing linked lists or insert vs. append. :) Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
