From eefa28308a3763ee4f903d1f8466c4af17cac82c Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 25 Mar 2005 23:56:46 +0000 Subject: [PATCH] Update Release Notes for MACLIST_TTL git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2014 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/releasenotes.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index bfe1fc199..e28620b40 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -36,6 +36,28 @@ New Features in version 2.2.3 connections will be allowed in accordance with the contents of /etc/shorewall/routestopped. +3) The performance of configurations with a large numbers of entries in + /etc/shorewall/maclist can be improved by setting the new + MACLIST_TTL variable in /etc/shorewall/shorewall.conf. + + If your iptables and kernel support the "Recent Match" (see the + output of "shorewall check" near the top), you can cache the results + of a 'maclist' file lookup and thus reduce the overhead associated + with MAC Verification. + + When a new connection arrives from a 'maclist' interface, the packet + passes through then list of entries for that interface in + /etc/shorewall/maclist. If there is a match then the source IP + address is added to the 'Recent' set for that interface. Subsequent + connection attempts from that IP address occuring within + $MACLIST_TTL seconds will be accepted without having to scan all + of the entries. After $MACLIST_TTL from the first accepted + connection request from an IP address, the next connection request + from that IP address will be checked against the entire list. + + If MACLIST_TTL is not specified or is specified as empty (e.g, + MACLIST_TTL="" or is specified as zero then 'maclist' lookups + will not be cached. ----------------------------------------------------------------------- Problems corrected in version 2.2.2