From owner-freebsd-security Sun Sep 27 05:17:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA26835 for freebsd-security-outgoing; Sun, 27 Sep 1998 05:17:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lohi.clinet.fi (lohi.clinet.fi [194.100.0.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA26822 for ; Sun, 27 Sep 1998 05:16:57 -0700 (PDT) (envelope-from hsu@mail.clinet.fi) Received: from katiska.clinet.fi (katiska.clinet.fi [194.100.0.4]) by lohi.clinet.fi (8.9.1/8.9.0) with ESMTP id PAA17940 for ; Sun, 27 Sep 1998 15:17:53 +0300 (EEST) Received: (from hsu@localhost) by katiska.clinet.fi (8.9.0/8.9.0) id PAA24629; Sun, 27 Sep 1998 15:16:42 +0300 (EEST) Date: Sun, 27 Sep 1998 15:16:42 +0300 (EEST) Message-Id: <199809271216.PAA24629@katiska.clinet.fi> From: Heikki Suonsivu To: freebsd-security@FreeBSD.ORG Subject: ipfw Organization: Clinet Ltd, Espoo, Finland Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How much work would be to rewrite ipfw to have interface-specific lists instead of current global lists ? It think it would probably work best if directives with "via" directive would be entered into a ipfw list attached to if-specific structure, while the global ipfw lists would be handled separately whereever they are handled today. Another possibility would be a more efficient matching data structure for ipfw, which would hash addresses, in/out ports and device numbers into a map of rules applicable to specific packet. I assume this would be more compilicated but better solution in long term, as it would scale. We are building a >= 32-port device, and having ipfw lists global is tremendous waste of precious CPU, as most interfaces need at least some interface-specific access lists. -- Heikki Suonsivu / Clinet Oy / Tekniikantie 12 / FI-02150 Espoo / FINLAND, hsu@clinet.fi mobile +358-40-5519679 work +358-9-43542270 fax -4555276 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message