Alternatively, is getting a much faster CPU (p3 1.6g ?) a "big hammer" that solves problems related to the number of rules being parsed for each packet ?
Just curious. On Sun, 5 Jan 2003, Barney Wolff wrote: > On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote: > > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > > those rules are just "count" rules for me to count bandwidth: > > > > 001 164994 120444282 count ip from any to 10.10.10.10 > > 002 158400 16937232 count ip from 10.10.10.10 to any > > Much of your problem is that you're running through all the rules on > every packet. ipfw keeps going until it hits an allow or deny rule. > Since all rules get counted, I'd suggest putting all your denies up > front, and then have allow rules, not count rules, with the most > heavily used addresses first. That way, many fewer rules should get > interpreted for each packet. An even fancier scheme would use skipto > and divide up your IP ranges in a binary search. > > -- > Barney Wolff http://www.databus.com/bwresume.pdf > I'm available by contract or FT, in the NYC metro area or via the 'Net. > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
