Date: Fri, 7 Jan 2000 12:49:37 -0500 From: "Patrick Bihan-Faou" <patrick@mindstep.com> To: "Luigi Rizzo" <luigi@info.iet.unipi.it> Cc: <freebsd-current@FreeBSD.ORG> Subject: Re: ipfw optimizations Message-ID: <003301bf5937$90b0c340$c80aa8c0@local.mindstep.com> References: <200001070922.KAA03892@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Luigi, > i am looking at (minor) optimizations of the ipfw code in order to reduce > the running time in the common cases. > > I have a few ideas (mostly along the lines of optimizing for the > most commonly-used rules). An obvious candidate is the 'match all' > rule (all from any to any), but can people suggest other common > usage of rules in ipfw ? One of the things I would do to optimize ipfw is: - instead of keeping one list with all the rules, split the list (the internal one) by interface and by direction (one list for ed1 incoming, one list for ed1 outgoing, etc.). - then eventually you could be doing the same thing by IP protocol number, but it might not be worth it (with regard to the amount of work required). I think that it is a better way to optimize ipfw than optimize the "match all" rule, since in any security conscious this is likely to be a deny rule, and who cares if it takes a little longer to deny a packet ? My goal usually is to accept legitimate packets as early as possible, reject really obvious stuff also fairly early and then handle the less common stuff. At last there is my match all deny rule, but it does not get exercised that often. One advantage of having a compiled ruleset for each interface would speed up quite a bit the processing by not going over rules that are not applicable. I looked once at doing that on the 3.x-STABLE ipfw, and even if it did not seem to be *too* complicated to do, I did not have the time to go further. Any thoughts ? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003301bf5937$90b0c340$c80aa8c0>