ipfw performance and random musings.
Ian FREISLICH
if at hetzner.co.za
Thu Aug 17 20:40:18 UTC 2006
Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > You're thinking somewhere on the lines of:
> >
> > skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>]
>
> i did not consider the range in interface numbers,
> but that's a possibility, yes.
That's the only way to do this to eliminate yet another linear
search in the firewall processing.
> On the other hand, i don't think one is going to write
> 500 different subsets of ipfw rules to handle the 500
> different interfaces.
This is exactly what I'm doing. My routers have hundreds of
interfaces and my customers can edit rules that apply to only their
interface. I need to make the firewall go faster because one host
on a 100M ethernet can fully occupy ipfw's attention.
> another approach that was suggested long ago was to put, in
> the interface definition, a starting ipfw rule number so
> the ip_fw_chk() would start from there if available,
> rather than from rule 1.
Do you have a quick-start on how I would go about doing this? I
am not familiar with how packets get from the NIC into the firewall
and how I would get this information from the interface to the
firewall. I can then figure out which will be within my grasp.
Ian
--
Ian Freislich
More information about the freebsd-ipfw
mailing list