Date: Fri, 7 Jan 2000 17:07:33 -0500 From: "Patrick Bihan-Faou" <patrick@mindstep.com> To: "Luigi Rizzo" <luigi@info.iet.unipi.it>, "Harold Gutch" <logix@foobar.franken.de>, <freebsd-current@FreeBSD.ORG> Cc: "Nate Williams" <nate@mt.sri.com> Subject: Re: ipfw optimizations Message-ID: <011d01bf595b$99929640$c80aa8c0@local.mindstep.com> References: <200001072100.WAA06141@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
(don't you love all that quoting...) > > > > I agree that having a `switch' type of rule for selecting interfaces > > > > would be a reasonable gain of efficiency (but then again.. how > > > > many interfaces is one using!) > > > > > > It doesn't matter, it has to do the lookup on a per-interface basis. On > > > my firewall box, I have 11 interfaces. > > > Two ethernet, one loopback, 4 slip, and 4 tunnel. > > i meant, if you only have 2-3 interfaces which are used 90% of the times, > then you really have 1-2 extra rules to look for. > But, in any case, it seems reasonably clear that a 'switch' > statement would simplify rule writing in a number of situations, > and i agree with Rod that the way ipfw does (having all rules > potentially applicable for all cases) is very very flexible > and probably more convenient than per-interface lists in many > cases. Yes I agree, I love ipfw functionality. You were asking for ideas on how to optimize ipfw. What I suggested is that in its INTERNAL representation of the rules, ipfw could split the rules on a per interface/direction basis. This means that you will not look at the rules that are known to not apply to your interface AND direction, hence saving some time. Again I am not asking for modification of the "user interface" of ipfw which is nice and to the point. As you and Rod mention, the ability to have rules applicable to all interfaces in one shot is great. What I was thinking about is when you build the "per-interface" list of rules, use what is provided in the interface part of the rule to determine where it belongs: ipfw add allow ip from joe to bob in recv ed0 => this rule is to be added only in the inbound list for interface ed0 ipfw add allow ip from joe to bob via ed0 => this rule is to be added to both inbound and outbound lists for i/f ed0 ipfw add allow ip from joe to bob => this rule is to be added to the inbound and outbound lists for all i/fs In the future we could also use negative logic to add a rule to all interfaces except the one mentioned... Also as I said earlier, you don't have to do anymore interface checking when it is implemented this way. The fact that you use such or such list is enough. Also to respond to some comments from Rod, this scheme duplicates the rules, but it does so behind the scene, so it does not add more complexity to the way you configure ipfw. Actually it remains completely compatible with the current behaviour of ipfw. Is that SO unreasonable ???? Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011d01bf595b$99929640$c80aa8c0>