ipfw performance and random musings.
Luigi Rizzo
rizzo at icir.org
Wed Aug 2 10:38:00 UTC 2006
On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
...
> things. I can also give the ifp->if_index cache a go. Since I
> need to virualise the firewall, I need a set of rules for each
> interface. I can't think of another way of sharing the firewall
> beween a few hundred customers than by doing this:
that's too heavyweight, perhaps you need to implement a
new microinstruction to hash the interface name and do an indirect
jump to the right target. Although the syntax can be tricky, something
like
hash-if name:base:delta[,name:base:delta]
where name is the basename of the interface (e.g. vlan)
so that packets from interface fooX would jump to base+X*delta
cheers
luigi
More information about the freebsd-ipfw
mailing list