Date: Wed, 14 Feb 2001 01:31:34 -0600 From: Bill Fumerola <billf@mu.org> To: Julian Elischer <julian@elischer.org> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c ip_fw.h src/sbin/ipfw ipfw.8 ipfw.c Message-ID: <20010214013134.C483@elvis.mu.org> In-Reply-To: <3A89670C.82B8DAA9@elischer.org>; from julian@elischer.org on Tue, Feb 13, 2001 at 08:55:40AM -0800 References: <51205.982073676@critter> <3A89670C.82B8DAA9@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 13, 2001 at 08:55:40AM -0800, Julian Elischer wrote:
> I agree, though it is possible to break the single list in to these using
> skipto rules.. (we did that at whistle.) the first rule immediatly jumped
> to rule 8000 or something if it was an external incoming packet.
>
> It's not perfect but it does aproximate what you are talking about..
ipfw could be very optimized based on interface-based, in/out-based lists.
skipto logically arranged the rules as phk talked about, but doesn't take
advantage of the performance increases that could result from optimizations
in the code because of this change.
It's very possible to do and do right[1]. I've talked with a few people about
this before. I'm going to be looking into writing it in the near future.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
1. up to and including backwards compatability that would allow current
rules to fall into the new scheme w/o change..
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010214013134.C483>