hi, in the masq file''s documentation, there is a sentence: "If you have a static IP on that interface, listing it here makes processing of output packets a little less expensive for the firewall." this realy means that SNAT to the primary address is less expensive than a MASQ rules in the netfilter? is this documented anywhere in iptables/netfilter? thanks. -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote:> hi, > in the masq file''s documentation, there is a sentence: > "If you have a static IP on that interface, listing it here makes > processing of output packets a little less expensive for the firewall." > this realy means that SNAT to the primary address is less expensive than > a MASQ rules in the netfilter? is this documented anywhere in > iptables/netfilter?I don''t have a ready reference if that is what you are asking. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZANsO/MAbZfjDLIRAuulAKDAnO1XPh5bGCHfKcI8xnnw0wGfQgCghLxd tZ8d03/gaQJ8gGEkzouMI4E=h0Uh -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Farkas Levente wrote: > >>hi, >>in the masq file''s documentation, there is a sentence: >>"If you have a static IP on that interface, listing it here makes >>processing of output packets a little less expensive for the firewall." >>this realy means that SNAT to the primary address is less expensive than >>a MASQ rules in the netfilter? is this documented anywhere in >>iptables/netfilter? > > > I don''t have a ready reference if that is what you are asking.i''m just search the web, netfilter doc etc. and couldn''t find any other places (except shorewall doc) that this is true or what can be the reason for this. that''s why i ask may be i missed some places... -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote:> > > i''m just search the web, netfilter doc etc. and couldn''t find any other > places (except shorewall doc) that this is true or what can be the > reason for this. that''s why i ask may be i missed some places... >If you don''t choose to believe it, that''s fine -- I''m not going to spend my vacation trying to justify the statement to you. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFBZBrQO/MAbZfjDLIRAo4vAKC7CSeRvM3xSBhecuCsvZ31hBdTvwCY+6rM vyXAfrIHzEPDSnvIVLTekQ==wu+/ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Farkas Levente wrote: > > >>> >>>i''m just search the web, netfilter doc etc. and couldn''t find any other >>>places (except shorewall doc) that this is true or what can be the >>>reason for this. that''s why i ask may be i missed some places... >>> > > > If you don''t choose to believe it, that''s fine -- I''m not going to spend > my vacation trying to justify the statement to you. >But if you are interested in doing some research, try entering the search string "SNAT vs MASQUERADE" in Google -- should keep you reading for a while. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZCFIO/MAbZfjDLIRApuWAKDBCQRA4FGbvyAsz19ssBOdTXSDPQCgnjcR oSFXIhAx3V5zngvVLYjn+F4=O+JT -----END PGP SIGNATURE-----