loading lot of rules takes very long time
Clemens Fischer
ino-qc at spotteswoode.de.eu.org
Thu Nov 6 05:36:53 PST 2003
* Artis Caune:
> rules are added like:
> ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0
> ipfw pipe 1 config bw 30Kbytes/s queue 10
> ...
> soo 'ipfw' is invoked '2 x client_count' !!!
why don't you just prepare the rules in a file and load that in one
single invocation of ipfw(8)? like so:
--8<---cut here:--start--->8--
#!/bin/sh
# $Header: /l/dns/RCS/fw.sh,v 1.11 2003/09/25 01:33:44 root Exp root $
# outside interface
oif1="${2:-tun0}"
...
fw_rules="/l/dns/fw.current"
fw_rules_X="${fw_rules}_X"
lock="lockf -s -t 55 ${fw_rules_X}"
${lock} /bin/cat > "$fw_rules" << EEOOFF || die "${notok}" "$0: cannot lock fw input"
add deny ip from any to 127.0.0.0/8 in recv ${oif1}
add deny ip from 127.0.0.0/8 to any out xmit ${oif1}
add allow ip from any to any via lo0
...
# Deny all the rest.
add 65400 deny $Lllog ip from any to any
#
EEOOFF
$fw -q flush
${lock} $fw -q "$fw_rules" || die "${notok}" "$0: cannot lock ipfw"
exit $?
--8<---cut here:---end---->8--
> maybe ipfw need feature like:
> ipfw -f /etc/rc.firewall
well, the man page is a swell reading in cases like this. it even
describes options on the usage of preprocessors in this really old
feature: "ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname".
clemens
More information about the freebsd-ipfw
mailing list