From owner-freebsd-net@FreeBSD.ORG  Fri Sep 15 15:21:14 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE5EF16A40F
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 15:21:14 +0000 (UTC)
	(envelope-from prvs=julian=4062b6196@elischer.org)
Received: from a50.ironport.com (a50.ironport.com [63.251.108.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3D7D743D46
	for <freebsd-net@freebsd.org>; Fri, 15 Sep 2006 15:21:14 +0000 (GMT)
	(envelope-from prvs=julian=4062b6196@elischer.org)
Received: from unknown (HELO [192.168.2.6]) ([10.251.60.41])
	by a50.ironport.com with ESMTP; 15 Sep 2006 08:21:13 -0700
Message-ID: <450AC4E9.7050302@elischer.org>
Date: Fri, 15 Sep 2006 08:21:13 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;
	rv:1.7.13) Gecko/20060414
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
References: <200609151244.k8FCiVqV016726@lurza.secnetix.de>
In-Reply-To: <200609151244.k8FCiVqV016726@lurza.secnetix.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: blocking a string in a packet using ipfw
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2006 15:21:15 -0000

Oliver Fromme wrote:

>Willem Jan Withagen wrote:
> > Julian Elischer wrote:
> > > > Forgot to mention: 4.7-PRERELEASE :(
> > > 
> > > ugh... no tables
> > > and 45000 lines will be bad.
>
>Not necessarily ...
>
> > Over that time I collected over 50.000 IP's which all ended up
> > in IPFW. :) The box (PIII, 750 Mhz, 512Mb) started using a lot
> > of system and interrupt time, but it survived it all.
>
>I once wrote a small tool that took a bunch of IP addresses
>on stdin and converted it into IPFW "skipto" rules forming
>a binary tree.  So, in the worst case, only 32 rules had to
>be checked for each packet, instead of 50,000.
>
>  
>

yes I've done that too  but tables are such an improvement.
I back ported tabled from 4.10 to 4.8 for ironport last year and it 
wasn't any problem..
just copied back the relevant files and compiled with ipfw2.

it would probably work for 4.7 too.

>Of course, with IPFW2's table feature, that tool of mine
>became obsolete.
>
>Best regards
>   Oliver
>
>  
>