Date: Fri, 7 Jan 2000 14:34:19 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: patrick@mindstep.com (Patrick Bihan-Faou) Cc: luigi@info.iet.unipi.it (Luigi Rizzo), logix@foobar.franken.de (Harold Gutch), freebsd-current@FreeBSD.ORG, nate@mt.sri.com (Nate Williams) Subject: Re: ipfw optimizations Message-ID: <200001072234.OAA13343@gndrsh.dnsmgr.net> In-Reply-To: <011d01bf595b$99929640$c80aa8c0@local.mindstep.com> from Patrick Bihan-Faou at "Jan 7, 2000 05:07:33 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
... > > > Yes I agree, I love ipfw functionality. You were asking for ideas on how to > optimize ipfw. What I suggested is that in its INTERNAL representation of > the rules, ipfw could split the rules on a per interface/direction basis. > This means that you will not look at the rules that are known to not apply > to your interface AND direction, hence saving some time. > > Again I am not asking for modification of the "user interface" of ipfw which > is nice and to the point. > > As you and Rod mention, the ability to have rules applicable to all > interfaces in one shot is great. > > What I was thinking about is when you build the "per-interface" list of > rules, use what is provided in the interface part of the rule to determine > where it belongs: > > > ipfw add allow ip from joe to bob in recv ed0 > => this rule is to be added only in the inbound list for interface ed0 > > ipfw add allow ip from joe to bob via ed0 > => this rule is to be added to both inbound and outbound lists for i/f > ed0 > > ipfw add allow ip from joe to bob > => this rule is to be added to the inbound and outbound lists for all > i/fs Now I see what you are getting at. > > In the future we could also use negative logic to add a rule to all > interfaces except the one mentioned... > > Also as I said earlier, you don't have to do anymore interface checking when > it is implemented this way. The fact that you use such or such list is > enough. Gotcha, this could potentially eliminate a lot of compare operations. > Also to respond to some comments from Rod, this scheme duplicates the rules, > but it does so behind the scene, so it does not add more complexity to the > way you configure ipfw. Actually it remains completely compatible with the > current behaviour of ipfw. > > Is that SO unreasonable ???? No, this is completly reasonable now that I understand what it is your proposing. Even the memory footprint is minimal if pointers to the actual rules is all we store in the per interface list, my largest set duplicated over 8 interfaces would only be 3200 rules. Stored as pointers to rules this would be all of 12.8kbytes, certainly not enough to worry about :-). Come up with some patches and I'll be glad to test and review them for you... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001072234.OAA13343>