Re: Filtering question: checking for many addresses in a single rule?
From: Jos Backus (jos_at_catnook.com)
Date: 10/22/03
- Previous message: Aleksandar Simonovski: "gateway/firewall script"
- In reply to: Lars Eggert: "Re: Filtering question: checking for many addresses in a single rule?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 22 Oct 2003 09:38:10 -0700 To: freebsd-net@freebsd.org
On Tue, Oct 21, 2003 at 08:59:38PM -0700, Lars Eggert wrote:
> Jos Backus wrote:
> >If one has many (thousands) hosts/addresses that the same filter action
> >needs to be taken for, what would be the most efficient way to implement
> >this using, say, ipfw or ipfilter?
> You can generate a rule set based on matching increasingly specific
> subnets in combination with skipto, i.e. simulate a trie-like structure
> with the firewall. This can can get you down to O(log).
>
> It's not as automatic as you'd like though, probably.
Right. That would be one way of making the existing rule-based mechanism more
efficient, but it would presumably still be too slow and cumbersome to
maintain. However, Pyun YongHyeon pointed me to pf's table feature which looks
like it fits the ticket perfectly, so I'm going to investigate that.
Thanks Lars.
--
Jos Backus _/ _/_/_/ Sunnyvale, CA
_/ _/ _/
_/ _/_/_/
_/ _/ _/ _/
jos at catnook.com _/_/ _/_/_/ require 'std/disclaimer'
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Aleksandar Simonovski: "gateway/firewall script"
- In reply to: Lars Eggert: "Re: Filtering question: checking for many addresses in a single rule?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
