Hi, can anybody comment on the cost of matching with IPP2P vs. Layer7. Also, does a iptables rule with more complicated matching mechanism also slow down processing if all the packets are matched before they reach the rule. I.e. is the mere existence of a potentially costly rule already slowing down processing or only if packets are actually processed by it? Thanks very much in advance. Best regards, Arik
I was just about to post the same post, I currently use ipp2p and it works pretty well, It just doesnt seem to track morpheous(fasttrack) protocols, otherwise it works pretty well. I have quite alot of connections and havent seen any performance issues. My next step is to add L7 as well with ipp2p to completely block/shape p2p. However I find L7 bit more tricky than ipp2p to compile Cannot comment on L7 J Arik Raffael Funke wrote:> Hi, > > can anybody comment on the cost of matching with IPP2P vs. Layer7. > > Also, does a iptables rule with more complicated matching mechanism also > slow down processing if all the packets are matched before they reach > the rule. I.e. is the mere existence of a potentially costly rule > already slowing down processing or only if packets are actually > processed by it? > > Thanks very much in advance. > > Best regards, > Arik > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net
L7 compiled fine on Fedora Core 4 with kernel 2.6.12.6 with following procedure: 1. patched kernel sources with ipp2p using patch-o-matic-ng 2. patched kernel with the patch file from l7 3. patched iptables-1.3.5 with l7 4. make/install iptables 5. make/install kernel I had to adjust the destination directories for iptables to fit Fedora''s convention. Best regards, Arik Jandre Olivier wrote:> I was just about to post the same post, > > I currently use ipp2p and it works pretty well, It just doesnt seem to > track morpheous(fasttrack) protocols, otherwise it works pretty well. I > have quite alot of connections and havent seen any performance issues. > My next step is to add L7 as well with ipp2p to completely block/shape p2p. > > However I find L7 bit more tricky than ipp2p to compile > Cannot comment on L7 > > J > > > Arik Raffael Funke wrote: >> Hi, >> >> can anybody comment on the cost of matching with IPP2P vs. Layer7. >> >> Also, does a iptables rule with more complicated matching mechanism >> also slow down processing if all the packets are matched before they >> reach the rule. I.e. is the mere existence of a potentially costly >> rule already slowing down processing or only if packets are actually >> processed by it? >> >> Thanks very much in advance. >> >> Best regards, >> Arik
Ok How match hosts ? How is your FC4 performance with that settings ? bests andres. -> -> L7 compiled fine on Fedora Core 4 with kernel 2.6.12.6 with following -> procedure: -> 1. patched kernel sources with ipp2p using patch-o-matic-ng -> 2. patched kernel with the patch file from l7 -> 3. patched iptables-1.3.5 with l7 -> 4. make/install iptables -> 5. make/install kernel -> -> I had to adjust the destination directories for iptables to fit Fedora''s -> convention. -> -> Best regards, -> Arik -> -> Jandre Olivier wrote: -> > I was just about to post the same post, -> > -> > I currently use ipp2p and it works pretty well, It just doesnt seem to -> > track morpheous(fasttrack) protocols, otherwise it works -> pretty well. I -> > have quite alot of connections and havent seen any performance issues. -> > My next step is to add L7 as well with ipp2p to completely -> block/shape p2p. -> > -> > However I find L7 bit more tricky than ipp2p to compile -> > Cannot comment on L7 -> > -> > J -> > -> > -> > Arik Raffael Funke wrote: -> >> Hi, -> >> -> >> can anybody comment on the cost of matching with IPP2P vs. Layer7. -> >> -> >> Also, does a iptables rule with more complicated matching mechanism -> >> also slow down processing if all the packets are matched before they -> >> reach the rule. I.e. is the mere existence of a potentially costly -> >> rule already slowing down processing or only if packets are actually -> >> processed by it? -> >> -> >> Thanks very much in advance. -> >> -> >> Best regards, -> >> Arik -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc