Update Release Notes for MACLIST_TTL

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2014 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2005-03-25 23:56:46 +00:00 · 2005-03-25 23:56:46 +00:00 · eefa28308a
commit eefa28308a
parent f4cae112fd
1 changed files with 22 additions and 0 deletions
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -36,6 +36,28 @@ New Features in version 2.2.3
   connections will be allowed in accordance with the contents of
   /etc/shorewall/routestopped.

+3) The performance of configurations with a large numbers of entries in
+   /etc/shorewall/maclist can be improved by setting the new 
+   MACLIST_TTL variable in /etc/shorewall/shorewall.conf.
+
+   If your iptables and kernel support the "Recent Match" (see the
+   output of "shorewall check" near the top), you can cache the results
+   of a 'maclist' file lookup and thus reduce the overhead associated
+   with MAC Verification.
+
+   When a new connection arrives from a 'maclist' interface, the packet
+   passes through then list of entries for that interface in
+   /etc/shorewall/maclist. If there is a match then the source IP
+   address is added to the 'Recent' set for that interface. Subsequent
+   connection attempts from that IP address occuring within
+   $MACLIST_TTL seconds will be accepted without having to scan all
+   of the entries. After $MACLIST_TTL from the first accepted
+   connection request from an IP address, the next connection request
+   from that IP address will be checked against the entire list.
+
+   If MACLIST_TTL is not specified or is specified as empty (e.g, 
+   MACLIST_TTL="" or is specified as zero then 'maclist' lookups
+   will not be cached.
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2