Efficient use of Dummynet pipes in IPFW
Brett Glass
brett at lariat.org
Mon Sep 19 08:55:50 PDT 2005
At 09:16 AM 9/19/2005, Luigi Rizzo wrote:
>> >Same for as the 'resume' option. It might be nice to have,
>> >however but there is already a two-rule version (the one i
>> >suggested, follow the non-terminating action with a skipto rule)
>> >so its absence is not blocking you from doing what you want.
>>
>> That option requires repeating ALL of the matching on the packet.
>
>absolutely not. it is the same as your 'resume' only split on two lines.
Please explain how you would render the following as just two lines
without doing all of the matching twice.
pipe 17 tcp from 0.0.0.1 to any 80 in via tun* established resume 5000
See the problem? (Hint: You can't do it in less than 3 lines -- 4
if you're using a one pass preprocessor because you need to generate
a jump target. And jump targets in IPFW have overhead because there
really is no such thing as a NOP in IPFW. Every rule, even a jump
target, is a counter.)
>whatever. feel free to write a high level interpreter,
>since i don't see it that way you can't expect me to do that :)
I'm certainly not asking for that! I think that the "resume" option
is a good way to deal with the problem.
--Brett Glass
P.S. -- The ability to negate an entire rule (that is, a "short circuit
NAND" of all of the conditions) would also come in handy, though I am not
sure what syntax would be best for it. Maybe placing the "not" before
the action, like this:
not skipto 5000 tcp from 0.0.0.1 to any 80 in via tun* established
Note that this isn't as efficient as a "resume" in the example
I've shown above, but can be very efficient in other situations.
More information about the freebsd-net
mailing list