Date: Thu, 27 Oct 2011 22:04:19 -0700 From: Julian Elischer <julian@freebsd.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: Karim <fodillemlinkarim@gmail.com>, freebsd-ipfw@freebsd.org, Michael Sierchio <kudzu@tenebras.com> Subject: Re: ipfw rule processing performances Message-ID: <4EAA37D3.1080905@freebsd.org> In-Reply-To: <20111027143807.B98377@sola.nimnet.asn.au> References: <4EA6D78F.6010607@gmail.com> <4EA73BAB.70607@freebsd.org> <CAHu1Y71Lf8=x3=S8cf__aT2fxyv6eX_EBqZvybgzwi9Q%2BSfzRQ@mail.gmail.com> <4EA85168.5020103@gmail.com> <4EA853D7.4010305@freebsd.org> <CAHu1Y705Ds7d06c0Qm_BM_x%2BmGGgZB41P=p2Xg33a5qQvpiyJg@mail.gmail.com> <4EA8A254.9070700@freebsd.org> <20111027143807.B98377@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/26/11 8:53 PM, Ian Smith wrote:
> On Wed, 26 Oct 2011, Julian Elischer wrote:
> > On 10/26/11 2:39 PM, Michael Sierchio wrote:
> > > On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer<julian@freebsd.org>
> > > wrote:
> > >
> > > > read up on all the things you can do with tablearg.. sometimes a single
> > > > table can replace dozens of rules.
> > > Julian - would you be so kind as to give an example?
> > >
> > > - M
> > >
> > off the top of my head:
> >
> > implement an ad-hoc RErouting table using fwd tablearg
> > implement entirely differnt rules for a complicated set of subnets using
> > skipto tablearg
>
> But in this context, isn't skipto tablearg time-expensive, in that it
> can't use the cached target of a normal skipto, but must to walk the
> ruleset from the skipto to the resulting rule each time?
not necessarily
if you have the destinations being normal skiptos following the selection
rule, you might select from one of
a small number of destination skiptos (which are cached) for an
arbitrarily
large set client addresses, with a single table lookup.
the time to walk a small number of rules is small..
> > arbitrarily slow down all the traffic from everyone you don't like in the
> > company using "lookup" and queue.
> >
> > from the man page:
> >
> > The tablearg argument can be used with the following
> > actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
> > action parameters: tag, untag, rule options: limit, tagged.
> >
> > and...
> >
> > # addresses we don't want to be seeing coming from outside..
> > ${fwcmd} table 1 add 10.0.0.0/8
> > ${fwcmd} table 1 add 172.16.0.0/12
> > ${fwcmd} table 1 add 192.168.0.0/16
> > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> > # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class
> > D),
> > # and class E) on the outside interface
> > ${fwcmd} table 1 add 0.0.0.0/8
> > ${fwcmd} table 1 add 169.254.0.0/16
> > ${fwcmd} table 1 add 192.0.2.0/24
> > ${fwcmd} table 1 add 224.0.0.0/4
> > ${fwcmd} table 1 add 240.0.0.0/4
>
> Indeed, I was entirely bemused by the arguments against incorporating
> this into rc.firewall a year or two ago ..
>
> cheers, Ian
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EAA37D3.1080905>