Hi Pekka
You wrote:
We are going to test the stuff tomorrow on an i386 and tell you
the results afterwards.
Well, nf-hipac works fine together with the ebtables patch for 2.4.21
on an i386 machine. We expect it to work with other patches too.
In principle, nf-hipac should work properly whith the bridge patch.
We expect it to work just like iptables apart from the fact that
you cannot match on bridge ports.
Well, this statement holds for the native nf-hipac in/out interface
match but of course you can match on bridge ports with nf-hipac
using the iptables physdev match. So everything should be fine :)
One obvious thing that's missing in your performance and Roberto's figures
is what *exactly* are the non-matching rules. Ie. do they only match IP
address, a TCP port, or what? (TCP port matching is about a degree of
complexity more expensive with iptables, I recall.)
[answered in private e-mail]
Regards,
+-----------------------+----------------------+
| Michael Bellion | Thomas Heinz |
| <mbellion@xxxxxxxxx> | <creatix@xxxxxxxxx> |
+-----------------------+----------------------+
|
