Jos Backus wrote:
If one has many (thousands) hosts/addresses that the same filter action needs
to be taken for, what would be the most efficient way to implement this using,
say, ipfw or ipfilter? I'm referring to the ability to create/load a large
hashed set of addresses and a way to refer to the set in a filter rule. So
rather than having many rules that need to be scanned sequentially there would
only be one rule and the matching mechanism would use a hash table instead.

Thoughts?

You can generate a rule set based on matching increasingly specific subnets in combination with skipto, i.e. simulate a trie-like structure with the firewall. This can can get you down to O(log).

It's not as automatic as you'd like though, probably.

Lars
--
Lars Eggert <[EMAIL PROTECTED]>           USC Information Sciences Institute

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



Reply via email to