On Thu, 16 Dec 2004 14:07:49 +0100 Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2004-12-16 at 10:42, Timothy Webster wrote:
Which is more efficient?
filter f_pop_acc { program("pop3") and match("not have pop"); }; filter f_mail { facility(mail); };
log { source(s_sys); filter(f_mail); filter(f_pop_acc); destination(d_pop_acc);
or
filter f_pop_acc { facility(mail) and program("pop3") and match("not have pop"); }; log { source(s_sys); filter(f_pop_acc); destination(d_pop_acc);
Sorry too lazy to look at the code :)
I think it should be about the same. The first one traverses a linked list of filters and breaks out the loop if a filter does not match, the second uses the parse tree generated by the config parser, using C's && operator, which similarly does lazy evaluation.
-- Bazsi
thx, -tim.