Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Jun 2004 10:21:36 +0300
From:      Ruslan Ermilov <ru@FreeBSD.org>
To:        Max Laier <max@love2party.net>
Cc:        ipfw@FreeBSD.org
Subject:   Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c
Message-ID:  <20040611072136.GB55472@ip.net.ua>
In-Reply-To: <200406110151.17372.max@love2party.net>
References:  <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--neYutvxvOLaeuPCA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 11, 2004 at 01:51:10AM +0200, Max Laier wrote:
> On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote:
[...]
> > One nice difference (and I don't believe PF or IPFilter can do
> > this) is this optional 32-bit tag value with no special meaning.
> > For example, we have several thousands of client IPs, and each
> > client is allowed (through a Web form) to limit bandwidth to
> > some discrete values (0, 64, 128, 256, 512, and "unlimited") in
> > Kbps to/from Ukrainian and foreign networks.  We have this all
> > implemented using less than ten IPFW tables:
>=20
> hmmm ... I don't really see the benefit in packing the information into=
=20
> one table. You could as well have different tables for that (with pf only=
=20
> memory limits the number of tables allowed).
>=20
Imagine if I had 1000 possible values for rate limiting, I'd have to
use 1000 tables then.  Also, the lookup code caches last query so if
your ruleset does say hundred lookups:

pipe 1 ip from table(0,1) to any
pipe 2 ip from table(0,2) to any
=2E..
pipe 100 ip from table(0,100) to any

and the entry in a table has the value 100, no radix.c code will ever
be called for 99 times.  If it were 100 different tables, this would
not work.

> But it's cool that we=20
> inspire eachother and still diverge a bit to find the best solutions for=
=20
> our respective users.
>=20
Yes, sure.  ;)

> Btw, I find it very helpful that pf refers to a table by a name and not a=
=20
> number. Why did you choose to use numbers?
>=20
This is in spirit of the current IPFW syntax: no names for rules,
rulesets, pipes, hence no names for tables.  ;)


Cheers,
--=20
Ruslan Ermilov
ru@FreeBSD.org
FreeBSD committer

--neYutvxvOLaeuPCA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAyV1/qRfpzJluFF4RAreDAJ4+vUhNGY8cSHBRWjW3JFxgSx4GPACgkV2y
eaXd2uh9rYLhaNeGD+TgunY=
=4njn
-----END PGP SIGNATURE-----

--neYutvxvOLaeuPCA--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040611072136.GB55472>