Luigi Rizzo wrote: > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote: > > You're thinking somewhere on the lines of: > > > > skipto base hash-if <name pattern> from <number> to <number> delta <delta> > > [offset <number>] > > i did not consider the range in interface numbers, > but that's a possibility, yes.
That's the only way to do this to eliminate yet another linear search in the firewall processing. > On the other hand, i don't think one is going to write > 500 different subsets of ipfw rules to handle the 500 > different interfaces. This is exactly what I'm doing. My routers have hundreds of interfaces and my customers can edit rules that apply to only their interface. I need to make the firewall go faster because one host on a 100M ethernet can fully occupy ipfw's attention. > another approach that was suggested long ago was to put, in > the interface definition, a starting ipfw rule number so > the ip_fw_chk() would start from there if available, > rather than from rule 1. Do you have a quick-start on how I would go about doing this? I am not familiar with how packets get from the NIC into the firewall and how I would get this information from the interface to the firewall. I can then figure out which will be within my grasp. Ian -- Ian Freislich _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
