Date: Wed, 22 Oct 2003 09:38:10 -0700 From: Jos Backus <jos@catnook.com> To: freebsd-net@freebsd.org Subject: Re: Filtering question: checking for many addresses in a single rule? Message-ID: <20031022163832.GC39913@lizzy.catnook.com> In-Reply-To: <3F9600AA.7000500@isi.edu> References: <20031022022626.GA91044@lizzy.catnook.com> <3F9600AA.7000500@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 21, 2003 at 08:59:38PM -0700, Lars Eggert wrote:
> Jos Backus wrote:
> >If one has many (thousands) hosts/addresses that the same filter action
> >needs to be taken for, what would be the most efficient way to implement
> >this using, say, ipfw or ipfilter?
> You can generate a rule set based on matching increasingly specific
> subnets in combination with skipto, i.e. simulate a trie-like structure
> with the firewall. This can can get you down to O(log).
>
> It's not as automatic as you'd like though, probably.
Right. That would be one way of making the existing rule-based mechanism more
efficient, but it would presumably still be too slow and cumbersome to
maintain. However, Pyun YongHyeon pointed me to pf's table feature which looks
like it fits the ticket perfectly, so I'm going to investigate that.
Thanks Lars.
--
Jos Backus _/ _/_/_/ Sunnyvale, CA
_/ _/ _/
_/ _/_/_/
_/ _/ _/ _/
jos at catnook.com _/_/ _/_/_/ require 'std/disclaimer'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031022163832.GC39913>