From owner-freebsd-ipfw@FreeBSD.ORG  Thu Oct 27 00:14:21 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 50B6D106566B
	for <freebsd-ipfw@freebsd.org>; Thu, 27 Oct 2011 00:14:21 +0000 (UTC)
	(envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
	by mx1.freebsd.org (Postfix) with ESMTP id 2180F8FC13
	for <freebsd-ipfw@freebsd.org>; Thu, 27 Oct 2011 00:14:20 +0000 (UTC)
Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137])
	(authenticated bits=0)
	by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p9R0EGLl058841
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Wed, 26 Oct 2011 17:14:19 -0700 (PDT)
	(envelope-from julian@freebsd.org)
Message-ID: <4EA8A254.9070700@freebsd.org>
Date: Wed, 26 Oct 2011 17:14:12 -0700
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US;
	rv:1.9.2.23) Gecko/20110920 Thunderbird/3.1.15
MIME-Version: 1.0
To: Michael Sierchio <kudzu@tenebras.com>
References: <4EA6D78F.6010607@gmail.com>	<4EA73BAB.70607@freebsd.org>	<CAHu1Y71Lf8=x3=S8cf__aT2fxyv6eX_EBqZvybgzwi9Q+SfzRQ@mail.gmail.com>	<4EA85168.5020103@gmail.com>	<4EA853D7.4010305@freebsd.org>
	<CAHu1Y705Ds7d06c0Qm_BM_x+mGGgZB41P=p2Xg33a5qQvpiyJg@mail.gmail.com>
In-Reply-To: <CAHu1Y705Ds7d06c0Qm_BM_x+mGGgZB41P=p2Xg33a5qQvpiyJg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Karim <fodillemlinkarim@gmail.com>, freebsd-ipfw@freebsd.org
Subject: Re: ipfw rule processing performances
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2011 00:14:21 -0000

On 10/26/11 2:39 PM, Michael Sierchio wrote:
> On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer<julian@freebsd.org>  wrote:
>
>> read up on all the things you can do with tablearg.. sometimes a single
>> table can replace dozens of rules.
> Julian - would you be so kind as to give an example?
>
> - M
>
off the top of my head:

implement an ad-hoc RErouting table using   fwd  tablearg
implement entirely differnt rules for a complicated set of subnets 
using   skipto tablearg
arbitrarily slow down all the traffic from everyone you don't like in 
the company using "lookup" and queue.

from the man page:

       The tablearg argument can be used with the following
      actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
      action parameters: tag, untag, rule options: limit, tagged.

and...

           # addresses we don't want to be seeing coming from outside..
         ${fwcmd} table 1 add 10.0.0.0/8
         ${fwcmd} table 1 add 172.16.0.0/12
         ${fwcmd} table 1 add 192.168.0.0/16
          # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
          # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST 
(class D),
          # and class E) on the outside interface
         ${fwcmd} table 1 add 0.0.0.0/8
         ${fwcmd} table 1 add 169.254.0.0/16
         ${fwcmd} table 1 add 192.0.2.0/24
         ${fwcmd} table 1 add 224.0.0.0/4
         ${fwcmd} table 1 add 240.0.0.0/4