If one has many (thousands) hosts/addresses that the same filter action needs to be taken for, what would be the most efficient way to implement this using, say, ipfw or ipfilter? I'm referring to the ability to create/load a large hashed set of addresses and a way to refer to the set in a filter rule. So rather than having many rules that need to be scanned sequentially there would only be one rule and the matching mechanism would use a hash table instead.
Thoughts?
You can generate a rule set based on matching increasingly specific subnets in combination with skipto, i.e. simulate a trie-like structure with the firewall. This can can get you down to O(log).
It's not as automatic as you'd like though, probably.
Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature
