From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 05:04:27 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95B09106566C for ; Fri, 28 Oct 2011 05:04:27 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4C0428FC19 for ; Fri, 28 Oct 2011 05:04:27 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p9S54OG0067868 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 27 Oct 2011 22:04:25 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4EAA37D3.1080905@freebsd.org> Date: Thu, 27 Oct 2011 22:04:19 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.23) Gecko/20110920 Thunderbird/3.1.15 MIME-Version: 1.0 To: Ian Smith References: <4EA6D78F.6010607@gmail.com> <4EA73BAB.70607@freebsd.org> <4EA85168.5020103@gmail.com> <4EA853D7.4010305@freebsd.org> <4EA8A254.9070700@freebsd.org> <20111027143807.B98377@sola.nimnet.asn.au> In-Reply-To: <20111027143807.B98377@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Karim , freebsd-ipfw@freebsd.org, Michael Sierchio Subject: Re: ipfw rule processing performances X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2011 05:04:27 -0000 On 10/26/11 8:53 PM, Ian Smith wrote: > On Wed, 26 Oct 2011, Julian Elischer wrote: > > On 10/26/11 2:39 PM, Michael Sierchio wrote: > > > On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer > > > wrote: > > > > > > > read up on all the things you can do with tablearg.. sometimes a single > > > > table can replace dozens of rules. > > > Julian - would you be so kind as to give an example? > > > > > > - M > > > > > off the top of my head: > > > > implement an ad-hoc RErouting table using fwd tablearg > > implement entirely differnt rules for a complicated set of subnets using > > skipto tablearg > > But in this context, isn't skipto tablearg time-expensive, in that it > can't use the cached target of a normal skipto, but must to walk the > ruleset from the skipto to the resulting rule each time? not necessarily if you have the destinations being normal skiptos following the selection rule, you might select from one of a small number of destination skiptos (which are cached) for an arbitrarily large set client addresses, with a single table lookup. the time to walk a small number of rules is small.. > > arbitrarily slow down all the traffic from everyone you don't like in the > > company using "lookup" and queue. > > > > from the man page: > > > > The tablearg argument can be used with the following > > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto > > action parameters: tag, untag, rule options: limit, tagged. > > > > and... > > > > # addresses we don't want to be seeing coming from outside.. > > ${fwcmd} table 1 add 10.0.0.0/8 > > ${fwcmd} table 1 add 172.16.0.0/12 > > ${fwcmd} table 1 add 192.168.0.0/16 > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > > # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class > > D), > > # and class E) on the outside interface > > ${fwcmd} table 1 add 0.0.0.0/8 > > ${fwcmd} table 1 add 169.254.0.0/16 > > ${fwcmd} table 1 add 192.0.2.0/24 > > ${fwcmd} table 1 add 224.0.0.0/4 > > ${fwcmd} table 1 add 240.0.0.0/4 > > Indeed, I was entirely bemused by the arguments against incorporating > this into rc.firewall a year or two ago .. > > cheers, Ian >