From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 11 07:21:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D1616A4CE for ; Fri, 11 Jun 2004 07:21:46 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF9F643D5C for ; Fri, 11 Jun 2004 07:21:45 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5B7RY6d098539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2004 10:27:35 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5B7LaCt055759; Fri, 11 Jun 2004 10:21:36 +0300 (EEST) (envelope-from ru) Date: Fri, 11 Jun 2004 10:21:36 +0300 From: Ruslan Ermilov To: Max Laier Message-ID: <20040611072136.GB55472@ip.net.ua> References: <200406092010.i59KAcXH025699@repoman.freebsd.org> <200406100445.44763.max@love2party.net> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <200406110151.17372.max@love2party.net> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: ipfw@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c src/sys/netinet in.h ip_fw.h ip_fw2.c raw_ip.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2004 07:21:46 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 11, 2004 at 01:51:10AM +0200, Max Laier wrote: > On Thursday 10 June 2004 23:40, Ruslan Ermilov wrote: [...] > > One nice difference (and I don't believe PF or IPFilter can do > > this) is this optional 32-bit tag value with no special meaning. > > For example, we have several thousands of client IPs, and each > > client is allowed (through a Web form) to limit bandwidth to > > some discrete values (0, 64, 128, 256, 512, and "unlimited") in > > Kbps to/from Ukrainian and foreign networks. We have this all > > implemented using less than ten IPFW tables: >=20 > hmmm ... I don't really see the benefit in packing the information into= =20 > one table. You could as well have different tables for that (with pf only= =20 > memory limits the number of tables allowed). >=20 Imagine if I had 1000 possible values for rate limiting, I'd have to use 1000 tables then. Also, the lookup code caches last query so if your ruleset does say hundred lookups: pipe 1 ip from table(0,1) to any pipe 2 ip from table(0,2) to any =2E.. pipe 100 ip from table(0,100) to any and the entry in a table has the value 100, no radix.c code will ever be called for 99 times. If it were 100 different tables, this would not work. > But it's cool that we=20 > inspire eachother and still diverge a bit to find the best solutions for= =20 > our respective users. >=20 Yes, sure. ;) > Btw, I find it very helpful that pf refers to a table by a name and not a= =20 > number. Why did you choose to use numbers? >=20 This is in spirit of the current IPFW syntax: no names for rules, rulesets, pipes, hence no names for tables. ;) Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAyV1/qRfpzJluFF4RAreDAJ4+vUhNGY8cSHBRWjW3JFxgSx4GPACgkV2y eaXd2uh9rYLhaNeGD+TgunY= =4njn -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA--