[patch] Source entries removing is awfully slow.
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Wed Dec 4 14:29:31 UTC 2013
Dnia poniedziałek, 2 grudnia 2013 o 17:39:27 Gleb Smirnoff napisał(a):
> I won't object on any interface that is consistent and resides in the
> '-K' and '-k' namespace. As said before, I am against utilizing new
> letters for options to avoid clashing with pfctl syntax in OpenBSD.
I have a nice commandline parser working, but I got blocked by one problem. As
the parser is quite big and most options are common for -K and -k, the parser
is just one function for both operation modes (and a similar thing for the
loops going over IP addresses found by given host names). Unfortunately
DIOCKILLSTATES and DIOCKILLSRCNODES are using separate structures.
Whatever the parser reads, it puts the result in the following structure
(defined only inside pfctl, not kernel):
struct pfioc_universal_kill {
sa_family_t puk_af;
int puk_proto;
struct pf_rule_addr puk_src;
struct pf_rule_addr puk_dst;
struct pf_rule_addr puk_rdr;
struct pf_state_cmp puk_pfcmp;
char puk_ifname[IFNAMSIZ];
char puk_label[PF_RULE_LABEL_SIZE];
char puk_table[PF_TABLE_NAME_SIZE];
u_int puk_killed_states;
u_int puk_killed_src_nodes;
};
Which later gets translated for every ioctl to pfioc_src_node_kill or
pfioc_state_kill.
To have the most clean and simple code it would make the most sense to use the
aforementioned pfioc_universal_kill for both DIOCKILLSTATES and
DIOCKILLSRCNODES. But that would be a change of kernel api which I assume can
not take place inside major release, so translation of structures is currently
the way to go. Please correct me if I am wrong.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
More information about the freebsd-pf
mailing list