Filtering question: checking for many addresses in a single
rule?
Jos Backus
jos at catnook.com
Wed Oct 22 09:38:11 PDT 2003
On Tue, Oct 21, 2003 at 08:59:38PM -0700, Lars Eggert wrote:
> Jos Backus wrote:
> >If one has many (thousands) hosts/addresses that the same filter action
> >needs to be taken for, what would be the most efficient way to implement
> >this using, say, ipfw or ipfilter?
> You can generate a rule set based on matching increasingly specific
> subnets in combination with skipto, i.e. simulate a trie-like structure
> with the firewall. This can can get you down to O(log).
>
> It's not as automatic as you'd like though, probably.
Right. That would be one way of making the existing rule-based mechanism more
efficient, but it would presumably still be too slow and cumbersome to
maintain. However, Pyun YongHyeon pointed me to pf's table feature which looks
like it fits the ticket perfectly, so I'm going to investigate that.
Thanks Lars.
--
Jos Backus _/ _/_/_/ Sunnyvale, CA
_/ _/ _/
_/ _/_/_/
_/ _/ _/ _/
jos at catnook.com _/_/ _/_/_/ require 'std/disclaimer'
More information about the freebsd-net
mailing list