Date: Thu, 14 Sep 2006 15:46:12 +0200 From: Phil Regnauld <regnauld@catpipe.net> To: Willem Jan Withagen <wjw@digiware.nl> Cc: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw Message-ID: <20060914134611.GW76403@catpipe.net> In-Reply-To: <4509592A.3040602@digiware.nl> References: <4509592A.3040602@digiware.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Willem Jan Withagen (wjw) writes: > > Now I'm pretty shure that ipfw does not stretch indefinitely to contain > perhaps something like 100.000 ip-numbers (would be a nice test. :) ) Actually, it should. > So I'd > like to see if there is something to do with divert and some matching on a > string in the packet to drop those packets. That will be quite expensive. Ideally ipfw/pf should allow for inspecting the contents of a packet (offset,value,[offset,value]) without leaving kernel space. > That would prevent me from having humongous set of rules in ipfw. > > Or any other suggestion that would make sense. Using pf with a table, and in ipfw as well, you can handle very large lists of IP addresses.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914134611.GW76403>