From owner-freebsd-net@FreeBSD.ORG Tue Aug 19 18:38:04 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3C5D1065673 for ; Tue, 19 Aug 2008 18:38:04 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outw.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id BD4228FC22 for ; Tue, 19 Aug 2008 18:38:04 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 326F22496; Tue, 19 Aug 2008 11:38:05 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 3F56A2D6088; Tue, 19 Aug 2008 11:38:04 -0700 (PDT) Message-ID: <48AB1313.5080405@elischer.org> Date: Tue, 19 Aug 2008 11:38:11 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Luigi Rizzo References: <48926C02.6030308@elischer.org> <20080819133101.GA23276@onelab2.iet.unipi.it> <20080820031409.V41971@sola.nimnet.asn.au> <20080819182337.GA25703@onelab2.iet.unipi.it> In-Reply-To: <20080819182337.GA25703@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org, Ian Smith Subject: Re: ipfw add skipto tablearg.... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2008 18:38:05 -0000 Luigi Rizzo wrote: > On Wed, Aug 20, 2008 at 04:06:05AM +1000, Ian Smith wrote: >> On Tue, 19 Aug 2008, Luigi Rizzo wrote: >> > On Tue, Aug 19, 2008 at 11:12:04PM +1000, Ian Smith wrote: > ... >> > > Until $someone adds a direct skipto target jump at the virtual machine >> > > code level - big recalc hit when adding/deleting rules/sets I suppose - >> > > it's still the fastest way to get from a to b, where b > a >> > >> > you mean with tables-based skipto targets ? Because the regular >> > skipto has been a constant-time op forever, even in ipfw1 i believe, >> > invalidating the target cache on a change and recomputing it the >> > fly at the first request. >> >> Thanks; I'd completely missed the caching of skipto targets before, and >> it's all so well commented too. blushing, but glad for the good news. >> >> But yes I was pondering Julian's patch, which has to lookup_next_rule >> every time, and also Mike's bending of divert reentry rule number in >> ipfw-classifyd with similar intent, which also has to hunt forward in >> linear time for its target rule - or am I missing something else here? > > well, you can use a hash table to support that. It shouldn't be so bad > to implement, flow tables already use hash tables so one can reuse the same code. one COULD, but I know I use this feature only with a number (20 or less) following rules, each of which is a skipto itself to some further awat location...or a simple drop.. Shall we say we "leave it as an exercise for the reader" ? > >> > > Speaking of which, should ipfw whinge when asked to skip backwards, >> > > which it can't, confirmed on a recent browse re Mike's ipfw-classifyd >> > > and a local test months ago. >> > >> > right... but the error can only be reliably detected in the kernel, >> > as the rule number is not always known when the rule is added. >> >> Yes I meant at run-time. On second thoughts, it'd be too easy a way to > > actually you can do it at insertion time, it's just that you cannot > do it in userland as other checks before inserting the rule. > > cheers > luigi