Date: 6 Nov 2003 14:36:46 +0100 From: "Clemens Fischer" <ino-qc@spotteswoode.de.eu.org> To: "Artis Caune" <ac@latnet.lv> Cc: freebsd-ipfw@FreeBSD.org Subject: Re: loading lot of rules takes very long time Message-ID: <ad79y5x7.fsf@ID-23066.news.dfncis.de> In-Reply-To: <20031106110605.E785D43FF2@mx1.FreeBSD.org> (Artis Caune's message of "Thu, 6 Nov 2003 13:04:31 %2B0200") References: <20031106110605.E785D43FF2@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Artis Caune: > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! why don't you just prepare the rules in a file and load that in one single invocation of ipfw(8)? like so: --8<---cut here:--start--->8-- #!/bin/sh # $Header: /l/dns/RCS/fw.sh,v 1.11 2003/09/25 01:33:44 root Exp root $ # outside interface oif1="${2:-tun0}" ... fw_rules="/l/dns/fw.current" fw_rules_X="${fw_rules}_X" lock="lockf -s -t 55 ${fw_rules_X}" ${lock} /bin/cat > "$fw_rules" << EEOOFF || die "${notok}" "$0: cannot lock fw input" add deny ip from any to 127.0.0.0/8 in recv ${oif1} add deny ip from 127.0.0.0/8 to any out xmit ${oif1} add allow ip from any to any via lo0 ... # Deny all the rest. add 65400 deny $Lllog ip from any to any # EEOOFF $fw -q flush ${lock} $fw -q "$fw_rules" || die "${notok}" "$0: cannot lock ipfw" exit $? --8<---cut here:---end---->8-- > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall well, the man page is a swell reading in cases like this. it even describes options on the usage of preprocessors in this really old feature: "ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname". clemens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad79y5x7.fsf>