Date: Sun, 27 Sep 1998 15:16:42 +0300 (EEST) From: Heikki Suonsivu <hsu@clinet.fi> To: freebsd-security@FreeBSD.ORG Subject: ipfw Message-ID: <199809271216.PAA24629@katiska.clinet.fi>
next in thread | raw e-mail | index | archive | help
How much work would be to rewrite ipfw to have interface-specific lists instead of current global lists ? It think it would probably work best if directives with "via" directive would be entered into a ipfw list attached to if-specific structure, while the global ipfw lists would be handled separately whereever they are handled today. Another possibility would be a more efficient matching data structure for ipfw, which would hash addresses, in/out ports and device numbers into a map of rules applicable to specific packet. I assume this would be more compilicated but better solution in long term, as it would scale. We are building a >= 32-port device, and having ipfw lists global is tremendous waste of precious CPU, as most interfaces need at least some interface-specific access lists. -- Heikki Suonsivu / Clinet Oy / Tekniikantie 12 / FI-02150 Espoo / FINLAND, hsu@clinet.fi mobile +358-40-5519679 work +358-9-43542270 fax -4555276 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809271216.PAA24629>