From owner-cvs-all Tue Feb 13 9:30:35 2001 Delivered-To: cvs-all@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 13C1B37B503; Tue, 13 Feb 2001 09:30:28 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f1DHPKO31020; Tue, 13 Feb 2001 09:25:20 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200102131725.f1DHPKO31020@iguana.aciri.org> Subject: Re: cvs commit: src/sys/netinet ip_fw.c ip_fw.h src/sbin/ipfw ipfw.8 ipfw.c In-Reply-To: <51205.982073676@critter> from Poul-Henning Kamp at "Feb 13, 2001 3:14:36 pm" To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 13 Feb 2001 09:25:10 -0800 (PST) Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > The check is semi expensive (traverses the interface address list) any input packet needs to traverse the interface address list. If there is an efficiency problem there, the fix is to use a hash table to lookup local addresses. BTW can you explain me the logic in INADDR_TO_IFP ? I am not sure i understand why IFF_POINTOPOINT is considered differently here and not in ip_input(). > It would be more elegant to have multiple lists of ipfw rules: > One input list per interface > One output list per interface > One list for packets being forwarded > One list for packets arriving locally > One list for packets originating locally what would you apply to 'forwarded' packets ? Just the 'forward' list (very hard to do in practice, as you might have to backtrack, think of divert sockets) or the set ? > And it would be trivial to implement this in a backwards compatible [ok the following is just driven by thinking at how to implement this in the most efficient way...] In terms of elegance, remember that an access list is no different than a set of (current) ipfw rules with the same rule number and a final acceptall or denyall action (current rules are more flexible as they permit GOTO). Implementationwise, we could just associate a starting rule number (currently is 0 for all) to each interface. The relevant pointer to the starting rule could be in the interface descriptor, not in ipfw, so the lookup has O(1) cost. Of course, next time someone will ask to have rulesets on a per-interface-address basis, not just on a per-interface basis... The only gain in terms of performance would be when we have many interfaces (or aliases) and different processing for each of them, which in the current configuration requires some kind of switch statement at the beginning to select the good ruleset. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message