Luigi Rizzo wrote: > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote: > ... > > things. I can also give the ifp->if_index cache a go. Since I > > need to virualise the firewall, I need a set of rules for each > > interface. I can't think of another way of sharing the firewall > > beween a few hundred customers than by doing this: > > that's too heavyweight, perhaps you need to implement a > new microinstruction to hash the interface name and do an indirect > jump to the right target. Although the syntax can be tricky, something > like > hash-if name:base:delta[,name:base:delta] > > where name is the basename of the interface (e.g. vlan) > so that packets from interface fooX would jump to base+X*delta
So, this will get performance to approach 120kpps, that will still need to do a linear search of the rule set to find the next rule, which I see I have to do anyway. For some reason I thought skipto used a pointer to the next rule. You're thinking somewhere on the lines of: skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>] so skipto 1000 hash-if vlan from 1 to 500 delta 100 will match vlan1 to vlan500 and skipto: vlan1 rule 1100 ... vlan500 rule 51000 and skipto 1000 hash-if vlan from 1000 to 1500 delta 100 offset -100000 will match vlan1000 to vlan1500 and skipto: vlan1000 rule 1000 ... vlan1500 rule 51000 I'll see if I can figure out how to do this. Ian -- Ian Freislich _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
