Date: Fri, 7 Jan 2000 20:18:09 +0100 From: Harold Gutch <logix@foobar.franken.de> To: Nate Williams <nate@mt.sri.com>, Luigi Rizzo <luigi@info.iet.unipi.it> Cc: Patrick Bihan-Faou <patrick@mindstep.com>, freebsd-current@FreeBSD.ORG Subject: Re: ipfw optimizations Message-ID: <20000107201809.B17766@foobar.franken.de> In-Reply-To: <200001071837.LAA06133@mt.sri.com>; from Nate Williams on Fri, Jan 07, 2000 at 11:37:02AM -0700 References: <003301bf5937$90b0c340$c80aa8c0@local.mindstep.com> <200001071802.TAA05558@info.iet.unipi.it> <200001071837.LAA06133@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 07, 2000 at 11:37:02AM -0700, Nate Williams wrote:
> > > One of the things I would do to optimize ipfw is:
> > > - instead of keeping one list with all the rules, split the list (the
> > > internal one) by interface and by direction (one list for ed1 incoming,
> > > one list for ed1 outgoing, etc.).
> >
> > one skipto rule is enough to switch between two rulesets depending
> > on direction, so this is not really worthwhile.
> > I agree that having a `switch' type of rule for selecting interfaces
> > would be a reasonable gain of efficiency (but then again.. how
> > many interfaces is one using!)
>
> It doesn't matter, it has to do the lookup on a per-interface basis. On
> my firewall box, I have 11 interfaces.
>
> Two ethernet, one loopback, 4 slip, and 4 tunnel.
>
> I could easily see a speedup from using per-interface lists.
I haven't looked at the firewalling-code in the kernel, but
couldn't you gain exactly this speedup by issuing this stuff
manually? Add a bunch of "skipto" rules at the very beginning of
your ruleset and have them branch to rule 5000, 10000, 15000 etc.
and then setup your per-interface rules beginning at exactly
these rules.
In fact, isn't that what Linux' "ipchains" are all about? You
split up the rules and branch to one of your rulesets at the
beginning. I've never seen anything special in this feature,
since ipfw does that as well (you just don't have magical names
for your rules but numbers instead).
bye,
Harold
--
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000107201809.B17766>