IPFW: table approvement

[Lowell Gilbert]

KES <kes-kes at yandex.ru> writes:

> Is it right place to post ideas?

Sure.  That doesn't mean anyone will implement them for you, but you can
try to discuss them here.

> If it is lets suggest next approvement
>
> IPFW has 'table' command
> each table entry has some 'tablearg'
>
> There are situations when you need each entry has multiple values.
> For example:
>
>
> #NAT
> table 1 add 10.0.1.0/24 1
> table 1 add 10.0.2.0/24 2
>
> #PIPE
> table 2 add 10.0.1.0/24 3
> table 2 add 10.0.2.0/24 4
>
> #tag
> table 3 add 10.0.1.0/24 7
> table 4 add 10.0.2.0/24 9
>
> ipfw add XXX tag  tablearg all from table(1) to any
> ipfw add XXX nat  tablearg all from table(2) to any
> ipfw add XXX pipe tablearg all from table(3) to any
>
>
> I will be best if it can be optimized as next:
> table 1 add 10.0.1.0/24 1 3 7
> table 1 add 10.0.2.0/24 2 4 9
>
> #user can name columns as:
> table 1 columns nat pipe tag
>
> #1. compatibility: first column can be used as usual
> ipfw add XXX tag tablearg all from table(1) to any
>
> #2. you may use value from second column of table entry as:
> ipfw add XXX nat tablearg(2) all from table(1) to any
>
> #3. you may use value by name
> ipfw add XXX pipe tablearg(pipe) all from table(1) to any
>
> #4. finally it will be good to apply multiple commands to one rule:
> ipfw add XXX pipe tablearg(pipe) nat tablearg(2) tag tablearg all from table(1) to any
>
> What do you think?

It doesn't seem very efficient.  The tags and associated values would
have to be stored outside of the table entry itself, so there would be
more data structure traversal on every packet.  

Probably better would be to stick to the current scheme in the value
itself, and hash out of it.  

A big advantage of open source, of course, is that you can try your
ideas out yourself, and see how they work.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
		http://be-well.ilk.org/~lowell/