Date: Fri, 3 May 2013 16:13:21 -0400 From: Korodev <korodev@gmail.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: IPFW Table Size Message-ID: <CAKOsuLr-AayiTOYoiyx5sSH_bbwkMoDpFsbWM9jPeyk-QLvkog@mail.gmail.com> In-Reply-To: <CAHu1Y717ec7=x3g1Gdv4q4qfyx0141msFVQVDSPoE-2ehC-hng@mail.gmail.com> References: <CAKOsuLqQep1ZuFXp%2BpGrGzO_PiAa_ZM9zkrcY%2BwtnpSmkVeMqA@mail.gmail.com> <CAHu1Y717ec7=x3g1Gdv4q4qfyx0141msFVQVDSPoE-2ehC-hng@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Better to have a single table - there's a min penalty for each lookup, + > lg(n) or so. > > You can use the second parameter for interesting things, like a rule number > to skipto > > E.g. > > ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup > src-ip $table_number > Interesting. I've never seen that syntax before. I'm currently using a simple rule like this: ipfw add 05000 deny log ip from any to any src-ip table(2) Is there any reason I should avoid doing it this way? I should also note, I'm running ifpw inline (using if_bridge), and I'm easily looking at several thousand addresses in the table. Is there any known limitation on the number of entries in a table I should be aware of? It sounds like I'll be fine with dumping all addresses in a single table. \\korodev
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKOsuLr-AayiTOYoiyx5sSH_bbwkMoDpFsbWM9jPeyk-QLvkog>