Date: Fri, 27 Feb 2004 00:03:09 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: kientzle@acm.org Cc: cvs-src@freebsd.org Subject: Re: cvs commit: src/sys/contrib/pf/net if_pflog.c if_pflog.hif_pfsync.c src/sys/contrib/pf/netinet in4_cksum.c Message-ID: <20040226230308.GD21156@insomnia.benzedrine.cx> In-Reply-To: <403E75F1.2070302@kientzle.com> References: <Pine.NEB.3.96L.1040226150526.79901Y-100000@fledge.watson.org> <403E75F1.2070302@kientzle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 26, 2004 at 02:40:49PM -0800, Tim Kientzle wrote:
> but the data structures that handle this sort of
> thing efficiently are admittedly a bit esoteric.
Actually, everything needed for that is already in the kernel, the radix
tree used by the routing table does exactly that, efficiently. And it
has some other nice properties, like the lookup will find the most
narrow match, so pf can support
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
where 172.16.2.3 and 172.16.1.100 match, but 172.16.1.2 doesn't, which
can be useful for building white- and blacklists.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226230308.GD21156>