25.08.2019 2:34, Eugene Grosbein wrote: > Also, use table arguments and not only table values, do not ignore their > existence: > > ipfw table $Mcast1_iface_out add vlan20 $mcast11 > ipfw table $Mcast1_iface_out add vlan20 $mcast12 > ipfw table $Mcast1_iface_out add vlan20 $mcast13 > ipfw add 25000 allow udp from IP1 to tablearg out xmit > "table($Mcast1_iface_out)" > > Note there is one single checking ipfw rules for all used pairs > ($Mcast1_iface_out, $mcastXX) > and this time it is not micro-optimization but very important one when you > have plenty of mcastXX.
I have to correct myself: ipfw table cannot contain multiple values differing with arguments only, so we should rewrite commands this way: first table contains just list of used multicast destination IPs: Mcast_addr_out=1 ipfw table $Mcast_addr_out create type addr ipfw table $Mcast_addr_out add $mcast11 25012 # use range of rules 25012-49999 ipfw table $Mcast_addr_out add $mcast12 25014 # increment rule number by 2 ipfw table $Mcast_addr_out add $mcast13 25016 And you have multiple tables for list of interfaces, one table per multicast destination: Mcast1_iface_out=2 ipfw table $Mcast1_iface_out create type iface ipfw table $Mcast1_iface_out add vlan20 ipfw table $Mcast1_iface_out add vlan22 ipfw table $Mcast1_iface_out add vlan39 Then you start filtering by splitting traffic by destination IP that is most efficient: ipfw add 25000 skipto tablearg from $IP1 to "table($Mcast_addr_out)" ipfw add 25010 deny udp from $your_multicast_range to any ipfw add 25011 skipto 50000 ip from any to any # past this set of checks Only traffic destined for specific IP hits the rule checking for outgoing interface: ipfw add 25012 allow udp from any to any out xmit "table($Mcast1_iface_out)" ipfw add 25013 deny udp from any to any ipfw add 25014 allow udp from any to any out xmit "table($Mcast2_iface_out)" ipfw add 25015 deny udp from any to any And so on. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
