Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Jan 2001 09:24:41 -0800 (PST)
From:      Luigi Rizzo <rizzo@aciri.org>
To:        rizzo@aciri.org (Luigi Rizzo)
Cc:        jon@abccom.bc.ca, ipfw@FreeBSD.ORG
Subject:   Re: Indexing IPFW rule
Message-ID:  <200101041724.f04HOgc92175@iguana.aciri.org>
In-Reply-To: <200101041434.f04EYC189940@iguana.aciri.org> from Luigi Rizzo at "Jan 4, 2001  6:34:12 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
on second thought... unless you find some more efficient way to
perform the first matching, the "index" ipfw action seems completely
overkill if you use dynamic rules: just put a check-state first,
followed by an ordinary skipto to go to the beginning of the table,
and then insert all rules you need. This is extremely flexible, as
you can use different patterns on the "jump table" (which is not
a jump table anymore) and quite efficient after the first time
because the check-state matches quickly.


	ipfw add 1000 check-state
	ipfw add 1001 skipto 10000 <some match pattern>
	...
	ipfw add 10000 allow ip from 10.0.0.1 to any
	ipfw add 10000 deny ip from 10.0.0.2 to any
	ipfw add 10000 deny ip from 10.0.0.3 to any
	ipfw add 10000 allow ip from 10.0.0.4/28 to any
	...
	ipfw add 10000 allow ip from 10.0.0.254 to any

> There are some ways to solve the efficiency problem, but probably
> the simplest one is to to keep your code but put a "keep-state"
> option in each of the branch targets and in the index rule -- this
> way the matching will install a dynamic rule which can be then
> tested in O(1) time because this is supported by a hash table.
> 
> 	cheers
> 	luigi
> ----------------------------------+-----------------------------------------
>  Luigi RIZZO, luigi@iet.unipi.it  . ACIRI/ICSI (on leave from Univ. di Pisa)
>  http://www.iet.unipi.it/~luigi/  . 1947 Center St, Berkeley CA 94704
>  Phone: (510) 666 2927
> ----------------------------------+-----------------------------------------
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101041724.f04HOgc92175>