From owner-freebsd-ipfw@FreeBSD.ORG  Thu Nov  6 05:36:53 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7070016A4CE
	for <freebsd-ipfw@FreeBSD.org>; Thu,  6 Nov 2003 05:36:53 -0800 (PST)
Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A214A43FD7
	for <freebsd-ipfw@FreeBSD.org>; Thu,  6 Nov 2003 05:36:49 -0800 (PST)
	(envelope-from ino-qc@spotteswoode.de.eu.org)
Received: from [194.97.55.148] (helo=mx5.freenet.de)
	by mout1.freenet.de with asmtp (Exim 4.24)
	id 1AHkJc-0004Kg-95
	for freebsd-ipfw@FreeBSD.org; Thu, 06 Nov 2003 14:36:48 +0100
Received: from pd9501624.dip.t-dialin.net ([217.80.22.36]
	helo=spotteswoode.dnsalias.org)
	by mx5.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.24 #2)
	id 1AHkJb-0004KN-Th
	for freebsd-ipfw@FreeBSD.org; Thu, 06 Nov 2003 14:36:48 +0100
Received: (qmail 77122 invoked by uid 0); 6 Nov 2003 13:37:08 -0000
Date: 6 Nov 2003 14:36:46 +0100
Message-ID: <ad79y5x7.fsf@ID-23066.news.dfncis.de>
From: "Clemens Fischer" <ino-qc@spotteswoode.de.eu.org>
To: "Artis Caune" <ac@latnet.lv>
In-Reply-To: <20031106110605.E785D43FF2@mx1.FreeBSD.org> (Artis Caune's
 message of "Thu, 6 Nov 2003 13:04:31 +0200")
References: <20031106110605.E785D43FF2@mx1.FreeBSD.org>
User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-ipfw@FreeBSD.org
Subject: Re: loading lot of rules takes very long time
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2003 13:36:53 -0000

* Artis Caune:

> rules are added like:
>   ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0
>   ipfw pipe 1 config bw 30Kbytes/s queue 10
>   ...
> soo 'ipfw' is invoked '2 x client_count' !!!

why don't you just prepare the rules in a file and load that in one
single invocation of ipfw(8)?  like so:

--8<---cut here:--start--->8--
#!/bin/sh
# $Header: /l/dns/RCS/fw.sh,v 1.11 2003/09/25 01:33:44 root Exp root $
# outside interface
oif1="${2:-tun0}"
...
fw_rules="/l/dns/fw.current"
fw_rules_X="${fw_rules}_X"
lock="lockf -s -t 55 ${fw_rules_X}"

${lock} /bin/cat > "$fw_rules" << EEOOFF || die "${notok}" "$0:  cannot lock fw input"
add deny ip from any to 127.0.0.0/8 in recv ${oif1}
add deny ip from 127.0.0.0/8 to any out xmit ${oif1}
add allow ip from any to any via lo0
...
# Deny all the rest.
add 65400 deny $Lllog ip from any to any
#
EEOOFF

$fw -q flush
${lock} $fw -q "$fw_rules" || die "${notok}" "$0:  cannot lock ipfw"
exit $?
--8<---cut here:---end---->8--

> maybe ipfw need feature like:
> ipfw -f /etc/rc.firewall

well, the man page is a swell reading in cases like this.  it even
describes options on the usage of preprocessors in this really old
feature:  "ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname".

  clemens