ipfw rule processing performances
Ian Smith
smithi at nimnet.asn.au
Thu Oct 27 04:23:42 UTC 2011
On Wed, 26 Oct 2011, Julian Elischer wrote:
> On 10/26/11 2:39 PM, Michael Sierchio wrote:
> > On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer<julian at freebsd.org>
> > wrote:
> >
> > > read up on all the things you can do with tablearg.. sometimes a single
> > > table can replace dozens of rules.
> > Julian - would you be so kind as to give an example?
> >
> > - M
> >
> off the top of my head:
>
> implement an ad-hoc RErouting table using fwd tablearg
> implement entirely differnt rules for a complicated set of subnets using
> skipto tablearg
But in this context, isn't skipto tablearg time-expensive, in that it
can't use the cached target of a normal skipto, but must to walk the
ruleset from the skipto to the resulting rule each time?
> arbitrarily slow down all the traffic from everyone you don't like in the
> company using "lookup" and queue.
>
> from the man page:
>
> The tablearg argument can be used with the following
> actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
> action parameters: tag, untag, rule options: limit, tagged.
>
> and...
>
> # addresses we don't want to be seeing coming from outside..
> ${fwcmd} table 1 add 10.0.0.0/8
> ${fwcmd} table 1 add 172.16.0.0/12
> ${fwcmd} table 1 add 192.168.0.0/16
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class
> D),
> # and class E) on the outside interface
> ${fwcmd} table 1 add 0.0.0.0/8
> ${fwcmd} table 1 add 169.254.0.0/16
> ${fwcmd} table 1 add 192.0.2.0/24
> ${fwcmd} table 1 add 224.0.0.0/4
> ${fwcmd} table 1 add 240.0.0.0/4
Indeed, I was entirely bemused by the arguments against incorporating
this into rc.firewall a year or two ago ..
cheers, Ian
More information about the freebsd-ipfw
mailing list