Skip site navigation (1)Skip section navigation (2)
Date:      6 Nov 2003 14:36:46 +0100
From:      "Clemens Fischer" <>
To:        "Artis Caune" <>
Subject:   Re: loading lot of rules takes very long time
Message-ID:  <>
In-Reply-To: <> (Artis Caune's message of "Thu, 6 Nov 2003 13:04:31 +0200")
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
* Artis Caune:

> rules are added like:
>   ipfw -q add 1 pipe 1 src-ip out via em0
>   ipfw pipe 1 config bw 30Kbytes/s queue 10
>   ...
> soo 'ipfw' is invoked '2 x client_count' !!!

why don't you just prepare the rules in a file and load that in one
single invocation of ipfw(8)?  like so:

--8<---cut here:--start--->8--
# $Header: /l/dns/RCS/,v 1.11 2003/09/25 01:33:44 root Exp root $
# outside interface
lock="lockf -s -t 55 ${fw_rules_X}"

${lock} /bin/cat > "$fw_rules" << EEOOFF || die "${notok}" "$0:  cannot lock fw input"
add deny ip from any to in recv ${oif1}
add deny ip from to any out xmit ${oif1}
add allow ip from any to any via lo0
# Deny all the rest.
add 65400 deny $Lllog ip from any to any

$fw -q flush
${lock} $fw -q "$fw_rules" || die "${notok}" "$0:  cannot lock ipfw"
exit $?
--8<---cut here:---end---->8--

> maybe ipfw need feature like:
> ipfw -f /etc/rc.firewall

well, the man page is a swell reading in cases like this.  it even
describes options on the usage of preprocessors in this really old
feature:  "ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname".


Want to link to this message? Use this URL: <>