Date: Tue, 15 Aug 2006 17:58:08 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ian FREISLICH <if@hetzner.co.za> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. Message-ID: <20060815175808.A45688@xorpc.icir.org> In-Reply-To: <E1GCyrM-000MtP-W7@hetzner.co.za>; from if@hetzner.co.za on Tue, Aug 15, 2006 at 03:21:32PM %2B0200 References: <rizzo@icir.org> <E1GCyrM-000MtP-W7@hetzner.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote: > Luigi Rizzo wrote: ... > > another approach that was suggested long ago was to put, in > > the interface definition, a starting ipfw rule number so > > the ip_fw_chk() would start from there if available, > > rather than from rule 1. > > Do you have a quick-start on how I would go about doing this? I in abstract terms, add to the struct ifnet a field to store the initial rule number for incoming and outgoing traffic, to be set through ifconfig or some other way. When the firewall gets the packet and has an ifnet pointer, lookup the initial number, then lookup the rule pointer through a hash table or something like that (at the moment the number->rule translation is done within each rule, but that needs to be centralized as it does not scale or maps well to SMP), then start from there instead of rule 1. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060815175808.A45688>