[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tagging & keep state



* Cedric Berger <[email protected]> [2004-06-01 15:50]:
> Henning Brauer wrote:
> >* Ed White <[email protected]> [2004-06-01 13:32]:
> >>On Tuesday 01 June 2004 00:48, David Gwynne wrote:
> >>>Theres always annoying edge cases. The only problem I've seen with this
> >>>behaviour of tags is when you're trying to keep track of traceroutes
> >>>through the box. Say you have the following rules
> >>The funny thing is that if you want to use tags to filter on multiple 
> >>interfaces you have to keep state on each of them.
> >>That's the opposite of what FAQ suggests! ;-)
> >what, the FAQ suggests to filter stateless if you have multiple 
> >interfaces? I have to talk to Joel ;)
> *IF* possible, you don't want to have multiple states for the same packet.
> Wastes RAM for little purpose.
wrong.
stateful lookups are by magnitudes faster than rule evaluation, and, 
most important, it gets really hairy really fast with stateless 
filtering in general and in the case where you filter stateful on 
another interfaces especially.
the RAM costs is minimal and doesn't matter at all in 99.99% of all 
cases.