Date: Tue, 19 May 1998 18:53:49 +0200 From: Eivind Eklund <eivind@yes.no> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: kjc@csl.sony.co.jp, current@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: struct ifnet handling... Message-ID: <19980519185349.49553@follo.net> In-Reply-To: <199805191356.PAA09388@labinfo.iet.unipi.it>; from Luigi Rizzo on Tue, May 19, 1998 at 03:56:59PM %2B0200 References: <19980519172127.08361@follo.net> <199805191356.PAA09388@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
This belong in -net - please send further messages there (I'm sending this message to both lists to allow an orderly transition). On Tue, May 19, 1998 at 03:56:59PM +0200, Luigi Rizzo wrote: > > If you're interested in implementing fast firewall code, there are a > > lot of changes that are more interesting than removing that strncmp(). > > One of them is getting rid of the dual pass through the firewall rules > > - which you can do by switching to a chained system. > > Can you explain ? I don't get this. if you refer to the poor > implementation of SKIPTO rules, I already fixed that yesterday (and > it is in today's dummynet patches). I'm referring to the implementation of the recv, xmit and 'via' rules. They're implemented by running the _entire_ ruleset once when the packet arrive, and once when it leave. Search for ip_fw_chk_ptr in ip_output.c and ip_input.c. > One thing i was thinking is to see rules as instructions, and each rule > does only ONE test (be it on addresses, ports, etc.) This way you can > quickly switch to the right piece of code, and avoid testing the flags > 16 times on each rule to see which tests to apply and which one not. Yes, that's a good internal representation. Be aware that you can also use a test as a 'split' - view the entire system as a tree. If you use a model that is easy to manipulate this can be reasonably simple to implement. One way is to look at a packet (including flags etc) as a series of bits which can be masked against. This is fairly tractable - rules can be viewed as either a mask/match or a selection of bits with a min/max value. Both ways of viewing these are generic (the proof is trivial), and it is possible to transform back and forth. I have code to do some of these transforms available somewhere; if you want to play with this to look at different optimization models, you can have a copy. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980519185349.49553>