Date: Tue, 21 Oct 2003 20:59:38 -0700 From: Lars Eggert <larse@ISI.EDU> To: jos@catnook.com Cc: freebsd-net@freebsd.org Subject: Re: Filtering question: checking for many addresses in a single rule? Message-ID: <3F9600AA.7000500@isi.edu> In-Reply-To: <20031022022626.GA91044@lizzy.catnook.com> References: <20031022022626.GA91044@lizzy.catnook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Jos Backus wrote:
> If one has many (thousands) hosts/addresses that the same filter action needs
> to be taken for, what would be the most efficient way to implement this using,
> say, ipfw or ipfilter? I'm referring to the ability to create/load a large
> hashed set of addresses and a way to refer to the set in a filter rule. So
> rather than having many rules that need to be scanned sequentially there would
> only be one rule and the matching mechanism would use a hash table instead.
>
> Thoughts?
You can generate a rule set based on matching increasingly specific
subnets in combination with skipto, i.e. simulate a trie-like structure
with the firewall. This can can get you down to O(log).
It's not as automatic as you'd like though, probably.
Lars
--
Lars Eggert <larse@isi.edu> USC Information Sciences Institute
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
�� 080fErtcvE.0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
000830000000Z
040827235959Z01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.3000
*H
��0�32c %E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ
|CBPQ<9TIf�- ki�N0L0)U
"0
0
10UPrivateLabel1-2970U
0�0
U
0
*H
��1KG]qSl]y=&b""I'{9$
*8PUl
LGl
X1B li+@]jy.%݊
Z<D&iHΥbb090
vo0
*H
�01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300
030801172929Z
040731172929Z0T10
UEggert1
0
U*Lars10U
Lars Eggert1
0 *H
larse@isi.edu0"0
*H
��0
�>ן~H(ԢGV׆־25B03ݰת^RIH
�=%J
kA^R)y�H80P ~qrU|c~\;ҋ^哪
!֍
&d@Cd"O"f$FrGe|r<z"%h+Z`3<}̘}9ʮcnb6RX ٫e~XgK7,ìEYU?�V0T0*+e!0 �00L2uMyffBNUbNJJcdZ2s0U
0
larse@isi.edu0
U
0�0
*H
��5Kkt[@
jj:Fg Xj
(8yPo!})5M[ ش]wʼnQd!GyFRiKd!8h\7γSD`a[qiY+Gqn?!090
vo0
*H
�01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300
030801172929Z
040731172929Z0T10
UEggert1
0
U*Lars10U
Lars Eggert1
0 *H
larse@isi.edu0"0
*H
��0
�>ן~H(ԢGV׆־25B03ݰת^RIH
�=%J
kA^R)y�H80P ~qrU|c~\;ҋ^哪
!֍
&d@Cd"O"f$FrGe|r<z"%h+Z`3<}̘}9ʮcnb6RX ٫e~XgK7,ìEYU?�V0T0*+e!0 �00L2uMyffBNUbNJJcdZ2s0U
0
larse@isi.edu0
U
0�0
*H
��5Kkt[@
jj:Fg Xj
(8yPo!})5M[ ش]wʼnQd!GyFRiKd!8h\7γSD`a[qiY+Gqn?!10001
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.30
vo0 +�0 *H
1
*H
0
*H
1
031022035938Z0# *H
10,E
9Q1c0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71001
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.30
vo0
*H
101
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.30
vo0
*H
��;Aw|ղ�d+Oy6KՠoV#RJ8=
%^e&�7GUA
nt҇?2d
A?14,ں<rmFtؒ[ۈԦ
%DE
ClN*Gc,[F
Q?\?
Y@LPfo`cЇ521lC灡O{rHʙpRqWeH>������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F9600AA.7000500>