ipfw performance and random musings.
rizzo at icir.org
Wed Aug 16 00:58:10 UTC 2006
On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > another approach that was suggested long ago was to put, in
> > the interface definition, a starting ipfw rule number so
> > the ip_fw_chk() would start from there if available,
> > rather than from rule 1.
> Do you have a quick-start on how I would go about doing this? I
in abstract terms, add to the struct ifnet a field to store the
initial rule number for incoming and outgoing traffic, to
be set through ifconfig or some other way.
When the firewall gets the packet and has an ifnet pointer, lookup
the initial number, then lookup the rule pointer through a hash
table or something like that (at the moment the number->rule translation
is done within each rule, but that needs to be centralized
as it does not scale or maps well to SMP), then start from there
instead of rule 1.
More information about the freebsd-ipfw