From owner-freebsd-current Fri Jan 7 11:18:52 2000 Delivered-To: freebsd-current@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 5153714E22 for ; Fri, 7 Jan 2000 11:18:47 -0800 (PST) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id UAA18144; Fri, 7 Jan 2000 20:18:10 +0100 (CET) Message-ID: <20000107201809.B17766@foobar.franken.de> Date: Fri, 7 Jan 2000 20:18:09 +0100 From: Harold Gutch To: Nate Williams , Luigi Rizzo Cc: Patrick Bihan-Faou , freebsd-current@FreeBSD.ORG Subject: Re: ipfw optimizations References: <003301bf5937$90b0c340$c80aa8c0@local.mindstep.com> <200001071802.TAA05558@info.iet.unipi.it> <200001071837.LAA06133@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <200001071837.LAA06133@mt.sri.com>; from Nate Williams on Fri, Jan 07, 2000 at 11:37:02AM -0700 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Jan 07, 2000 at 11:37:02AM -0700, Nate Williams wrote: > > > One of the things I would do to optimize ipfw is: > > > - instead of keeping one list with all the rules, split the list (the > > > internal one) by interface and by direction (one list for ed1 incoming, > > > one list for ed1 outgoing, etc.). > > > > one skipto rule is enough to switch between two rulesets depending > > on direction, so this is not really worthwhile. > > I agree that having a `switch' type of rule for selecting interfaces > > would be a reasonable gain of efficiency (but then again.. how > > many interfaces is one using!) > > It doesn't matter, it has to do the lookup on a per-interface basis. On > my firewall box, I have 11 interfaces. > > Two ethernet, one loopback, 4 slip, and 4 tunnel. > > I could easily see a speedup from using per-interface lists. I haven't looked at the firewalling-code in the kernel, but couldn't you gain exactly this speedup by issuing this stuff manually? Add a bunch of "skipto" rules at the very beginning of your ruleset and have them branch to rule 5000, 10000, 15000 etc. and then setup your per-interface rules beginning at exactly these rules. In fact, isn't that what Linux' "ipchains" are all about? You split up the rules and branch to one of your rulesets at the beginning. I've never seen anything special in this feature, since ipfw does that as well (you just don't have magical names for your rules but numbers instead). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message