Casual technical question about /etc/services

Tarek W. mailinglists1 at hotpop.com
Tue Mar 30 06:15:09 PST 2004


On Tue, 2004-03-30 at 06:14, Dagmar d'Surreal wrote: [snipped]
> On Mon, 2004-03-29 at 19:45, Tarek W. wrote:
> > 2) ip_conntrack is either loaded by explicitely using "-m state" in an
> > iptables rule or by manually loading it
> 
> I generally trust that kmod will do the necessary things.  I still don't
> see why so many people's scripts forcibly load those modules, aside from
> just being too lazy to specify only the ones that have to be loaded
> manually (like the IRC and FTP masqing modules).  *sigh*

to expand on what u said, all ip_conntrack helper modules have to loaded
"manually", they aren't loaded automagically.

I think that's why sometimes u see ip_conntrack or other modules loaded
manually also, because not many people know that *only* ip_conntrack
helper modules have to be loaded manually.

> Actually, I was trying to make sure that invoking the state matching
> module explicitly for outgoing UDP traffic on particular ports wasn't
> going to increase the overhead incurred by netfilter.  It looks like
> that's not the case, but I'm sure we'll hear about it eventually if it
> is the case.  Normally, even for clients I wouldn't care unless the

actually, I can guarantee that specifying the state match (utilizing
ipt_state.o) does not incur any overhead in the ip_conntrack.o area
(loading or operation) after the former loaded. however, it is an extra
rule and some overhead will be incurred when traffic is inspected by
that rule as I'm sure u already know.

> machine weren't carrying traffic at full speed, but I don't want people
> going around making mealy-mouthed comments about how we "senselessly
> waste clockcycles" or somesuch.

I'd like to reiterate that traffic begins to deteriorate only at speeds
above 30ish mbits and for a packet size of around 512 bytes. so I
shouldn't expect any negative comments in that area from anybody.
anyway, firewall design refinement doesn't have to come this early,
security is primordial if I'm not mistaken.




More information about the hlfs-dev mailing list