From owner-freebsd-net@FreeBSD.ORG  Wed Oct 22 09:38:11 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 75EFA16A4B3
	for <freebsd-net@freebsd.org>; Wed, 22 Oct 2003 09:38:11 -0700 (PDT)
Received: from w250.z064001178.sjc-ca.dsl.cnc.net
	(adsl-66.218.45.239.dslextreme.com [66.218.45.239])
	by mx1.FreeBSD.org (Postfix) with SMTP id 9289D43F75
	for <freebsd-net@freebsd.org>; Wed, 22 Oct 2003 09:38:10 -0700 (PDT)
	(envelope-from jos@catnook.com)
Received: (qmail 40105 invoked by uid 1000); 22 Oct 2003 16:38:32 -0000
Date: Wed, 22 Oct 2003 09:38:10 -0700
From: Jos Backus <jos@catnook.com>
To: freebsd-net@freebsd.org
Message-ID: <20031022163832.GC39913@lizzy.catnook.com>
Mail-Followup-To: freebsd-net@freebsd.org
References: <20031022022626.GA91044@lizzy.catnook.com>
	<3F9600AA.7000500@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3F9600AA.7000500@isi.edu>
User-Agent: Mutt/1.5.4i
Subject: Re: Filtering question: checking for many addresses in a single
	rule?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: jos@catnook.com
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2003 16:38:11 -0000

On Tue, Oct 21, 2003 at 08:59:38PM -0700, Lars Eggert wrote:
> Jos Backus wrote:
> >If one has many (thousands) hosts/addresses that the same filter action
> >needs to be taken for, what would be the most efficient way to implement
> >this using, say, ipfw or ipfilter?

> You can generate a rule set based on matching increasingly specific 
> subnets in combination with skipto, i.e. simulate a trie-like structure 
> with the firewall. This can can get you down to O(log).
> 
> It's not as automatic as you'd like though, probably.

Right. That would be one way of making the existing rule-based mechanism more
efficient, but it would presumably still be too slow and cumbersome to
maintain. However, Pyun YongHyeon pointed me to pf's table feature which looks
like it fits the ticket perfectly, so I'm going to investigate that.

Thanks Lars.

-- 
Jos Backus                       _/  _/_/_/      Sunnyvale, CA
                                _/  _/   _/
                               _/  _/_/_/
                          _/  _/  _/    _/
jos at catnook.com        _/_/   _/_/_/          require 'std/disclaimer'