Date: Thu, 4 Jan 2001 06:34:12 -0800 (PST) From: Luigi Rizzo <rizzo@aciri.org> To: jon@abccom.bc.ca (Jon Simola) Cc: ipfw@FreeBSD.ORG Subject: Re: Indexing IPFW rule Message-ID: <200101041434.f04EYC189940@iguana.aciri.org> In-Reply-To: <Pine.BSF.3.96.1010104052129.462T-200000@newmail.netbistro.com> from Jon Simola at "Jan 4, 2001 5:32:37 am"
next in thread | previous in thread | raw e-mail | index | archive | help
The idea in principle is ok, but your implementation is rather expensive at runtime, as you have to scan the list of rules every time you match a packet. I think this is too expensive in practice. Your code below seems to try and use the "next_rule_ptr" field which i introduced some time ago to cache the jump target in skipto rules, but this is not enough for your rules -- basically the 'if' branch should be never taken. > + case IP_FW_F_INDEX: /* dst_ip */ > + if ( f->next_rule_ptr ) > + chain = f->next_rule_ptr ; > + else > + chain = lookup_index_rule(chain, dst_ip.s_addr) ; > + if (! chain) goto dropit; > + goto again ; Another problem in your code is that you hardwire the mask to 24 bit in the code, this can be confusing. There are some ways to solve the efficiency problem, but probably the simplest one is to to keep your code but put a "keep-state" option in each of the branch targets and in the index rule -- this way the matching will install a dynamic rule which can be then tested in O(1) time because this is supported by a hash table. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101041434.f04EYC189940>