> >>Or do you think kernel/netfilter will do this lookup > >>unconditionally/always > > I'm not sure but, I think it's doing both test. (-i vnet0 && -m set > --match-set > PVEFW-venet0-ipset src). >
Doing this would be really stupid > But I'm not iptables expert, maybe they have already optimized this ;) I assume that they have most basic optimizations, unless someone shows me the opposite. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
