From owner-freebsd-current Tue May 19 09:54:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25099 for freebsd-current-outgoing; Tue, 19 May 1998 09:54:16 -0700 (PDT) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24971; Tue, 19 May 1998 09:54:07 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id QAA03639; Tue, 19 May 1998 16:53:56 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id SAA28656; Tue, 19 May 1998 18:53:50 +0200 (MET DST) Message-ID: <19980519185349.49553@follo.net> Date: Tue, 19 May 1998 18:53:49 +0200 From: Eivind Eklund To: Luigi Rizzo Cc: kjc@csl.sony.co.jp, current@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: struct ifnet handling... References: <19980519172127.08361@follo.net> <199805191356.PAA09388@labinfo.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: <199805191356.PAA09388@labinfo.iet.unipi.it>; from Luigi Rizzo on Tue, May 19, 1998 at 03:56:59PM +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This belong in -net - please send further messages there (I'm sending this message to both lists to allow an orderly transition). On Tue, May 19, 1998 at 03:56:59PM +0200, Luigi Rizzo wrote: > > If you're interested in implementing fast firewall code, there are a > > lot of changes that are more interesting than removing that strncmp(). > > One of them is getting rid of the dual pass through the firewall rules > > - which you can do by switching to a chained system. > > Can you explain ? I don't get this. if you refer to the poor > implementation of SKIPTO rules, I already fixed that yesterday (and > it is in today's dummynet patches). I'm referring to the implementation of the recv, xmit and 'via' rules. They're implemented by running the _entire_ ruleset once when the packet arrive, and once when it leave. Search for ip_fw_chk_ptr in ip_output.c and ip_input.c. > One thing i was thinking is to see rules as instructions, and each rule > does only ONE test (be it on addresses, ports, etc.) This way you can > quickly switch to the right piece of code, and avoid testing the flags > 16 times on each rule to see which tests to apply and which one not. Yes, that's a good internal representation. Be aware that you can also use a test as a 'split' - view the entire system as a tree. If you use a model that is easy to manipulate this can be reasonably simple to implement. One way is to look at a packet (including flags etc) as a series of bits which can be masked against. This is fairly tractable - rules can be viewed as either a mask/match or a selection of bits with a min/max value. Both ways of viewing these are generic (the proof is trivial), and it is possible to transform back and forth. I have code to do some of these transforms available somewhere; if you want to play with this to look at different optimization models, you can have a copy. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message