Filtering question: checking for many addresses in a single
rule?
Lars Eggert
larse at ISI.EDU
Tue Oct 21 20:59:45 PDT 2003
Jos Backus wrote:
> If one has many (thousands) hosts/addresses that the same filter action needs
> to be taken for, what would be the most efficient way to implement this using,
> say, ipfw or ipfilter? I'm referring to the ability to create/load a large
> hashed set of addresses and a way to refer to the set in a filter rule. So
> rather than having many rules that need to be scanned sequentially there would
> only be one rule and the matching mechanism would use a hash table instead.
>
> Thoughts?
You can generate a rule set based on matching increasingly specific
subnets in combination with skipto, i.e. simulate a trie-like structure
with the firewall. This can can get you down to O(log).
It's not as automatic as you'd like though, probably.
Lars
--
Lars Eggert <larse at isi.edu> USC Information Sciences Institute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3529 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20031021/4fd38990/smime.bin
More information about the freebsd-net
mailing list