Date: Fri, 7 Jan 2000 11:02:52 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: phk@critter.freebsd.dk (Poul-Henning Kamp) Cc: luigi@info.iet.unipi.it (Luigi Rizzo), patrick@mindstep.com (Patrick Bihan-Faou), freebsd-current@FreeBSD.ORG Subject: Re: ipfw optimizations Message-ID: <200001071902.LAA11964@gndrsh.dnsmgr.net> In-Reply-To: <6724.947268571@critter.freebsd.dk> from Poul-Henning Kamp at "Jan 7, 2000 07:09:31 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <200001071802.TAA05558@info.iet.unipi.it>, Luigi Rizzo writes: > >> One of the things I would do to optimize ipfw is: > >> - instead of keeping one list with all the rules, split the list (the > >> internal one) by interface and by direction (one list for ed1 incoming, > >> one list for ed1 outgoing, etc.). > > > >one skipto rule is enough to switch between two rulesets depending > >on direction, so this is not really worthwhile. > >I agree that having a `switch' type of rule for selecting interfaces > >would be a reasonable gain of efficiency (but then again.. how > >many interfaces is one using!) > > I still think we should split the current "one huge list of rules" > into several lists: > > Two lists per interface: > one list of rules for inbound packets > one list of rules for outbound packets ... I use to think this was the way to do it too, until I went and figured out how to do the exact same thing using the current setup. What we have now is actually more flexiable than this proposed configuration in that it allows a superset of this, plus you don't have to duplicate rules in multiple sets, ie: ipfw add 1000 deny ip from 10.0.0.0/8 to any ipfw add 1001 deny ip from any to 10.0.0.0/8 covers all interfaces, I don't have to add those and the 6 others to every interface rule set like we do on the Ciscos. The skipto situation may be slightly ineffecient due to the number of comparisons needed, perhaps adding the ability to dispatch more directly rather than a chain of skipto's, though I can't come up with a simple syntax for this off the top of my head. :-( -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001071902.LAA11964>
