From owner-freebsd-ipfw@FreeBSD.ORG  Wed Aug 16 00:58:09 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E5BE116A4DA
	for <freebsd-ipfw@freebsd.org>; Wed, 16 Aug 2006 00:58:09 +0000 (UTC)
	(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AA22B43D49
	for <freebsd-ipfw@freebsd.org>; Wed, 16 Aug 2006 00:58:09 +0000 (GMT)
	(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
	by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k7G0w9iX045809;
	Tue, 15 Aug 2006 17:58:09 -0700 (PDT)
	(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
	by xorpc.icir.org (8.12.11/8.12.3/Submit) id k7G0w86N045808;
	Tue, 15 Aug 2006 17:58:08 -0700 (PDT) (envelope-from rizzo)
Date: Tue, 15 Aug 2006 17:58:08 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Ian FREISLICH <if@hetzner.co.za>
Message-ID: <20060815175808.A45688@xorpc.icir.org>
References: <rizzo@icir.org> <E1GCyrM-000MtP-W7@hetzner.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <E1GCyrM-000MtP-W7@hetzner.co.za>;
	from if@hetzner.co.za on Tue, Aug 15, 2006 at 03:21:32PM +0200
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw performance and random musings.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2006 00:58:10 -0000

On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
...
> > another approach that was suggested long ago was to put, in
> > the interface definition, a starting ipfw rule number so
> > the ip_fw_chk() would start from there if available,
> > rather than from rule 1.
> 
> Do you have a quick-start on how I would go about doing this?  I

in abstract terms, add to the struct ifnet a field to store the
initial rule number for incoming and outgoing traffic, to
be set through ifconfig or some other way.

When the firewall gets the packet and has an ifnet pointer, lookup
the initial number, then lookup the rule pointer through a hash
table or something like that (at the moment the number->rule translation
is done within each rule, but that needs to be centralized
as it does not scale or maps well to SMP), then start from there
instead of rule 1.

cheers
luigi