Date: Tue, 15 Aug 2006 15:21:32 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. Message-ID: <E1GCyrM-000MtP-W7@hetzner.co.za> In-Reply-To: Message from Luigi Rizzo <rizzo@icir.org> of "Wed, 02 Aug 2006 12:40:53 MST." <20060802124053.A22010@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote: > > You're thinking somewhere on the lines of: > > > > skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>] > > i did not consider the range in interface numbers, > but that's a possibility, yes. That's the only way to do this to eliminate yet another linear search in the firewall processing. > On the other hand, i don't think one is going to write > 500 different subsets of ipfw rules to handle the 500 > different interfaces. This is exactly what I'm doing. My routers have hundreds of interfaces and my customers can edit rules that apply to only their interface. I need to make the firewall go faster because one host on a 100M ethernet can fully occupy ipfw's attention. > another approach that was suggested long ago was to put, in > the interface definition, a starting ipfw rule number so > the ip_fw_chk() would start from there if available, > rather than from rule 1. Do you have a quick-start on how I would go about doing this? I am not familiar with how packets get from the NIC into the firewall and how I would get this information from the interface to the firewall. I can then figure out which will be within my grasp. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1GCyrM-000MtP-W7>