Re: Filtering question: checking for many addresses in a single rule?
From: Lars Eggert (larse_at_ISI.EDU)
Date: 10/22/03
- Previous message: Jos Backus: "Filtering question: checking for many addresses in a single rule?"
- In reply to: Jos Backus: "Filtering question: checking for many addresses in a single rule?"
- Next in thread: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?"
- Reply: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 21 Oct 2003 20:59:38 -0700 To: jos@catnook.com
Jos Backus wrote:
> If one has many (thousands) hosts/addresses that the same filter action needs
> to be taken for, what would be the most efficient way to implement this using,
> say, ipfw or ipfilter? I'm referring to the ability to create/load a large
> hashed set of addresses and a way to refer to the set in a filter rule. So
> rather than having many rules that need to be scanned sequentially there would
> only be one rule and the matching mechanism would use a hash table instead.
>
> Thoughts?
You can generate a rule set based on matching increasingly specific
subnets in combination with skipto, i.e. simulate a trie-like structure
with the firewall. This can can get you down to O(log).
It's not as automatic as you'd like though, probably.
Lars
-- Lars Eggert <larse@isi.edu> USC Information Sciences Institute
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature
- Previous message: Jos Backus: "Filtering question: checking for many addresses in a single rule?"
- In reply to: Jos Backus: "Filtering question: checking for many addresses in a single rule?"
- Next in thread: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?"
- Reply: Jos Backus: "Re: Filtering question: checking for many addresses in a single rule?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
