Re: Efficient use of Dummynet pipes in IPFW
From: Brett Glass (brett_at_lariat.org)
Date: 09/19/05
- Previous message: Andre: "Re: PF and "set limit src-nodes" error."
- In reply to: Luigi Rizzo: "Re: Efficient use of Dummynet pipes in IPFW"
- Next in thread: Jeremie Le Hen: "Re: Efficient use of Dummynet pipes in IPFW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 19 Sep 2005 09:55:34 -0600 To: Luigi Rizzo <rizzo@icir.org>
At 09:16 AM 9/19/2005, Luigi Rizzo wrote:
>> >Same for as the 'resume' option. It might be nice to have,
>> >however but there is already a two-rule version (the one i
>> >suggested, follow the non-terminating action with a skipto rule)
>> >so its absence is not blocking you from doing what you want.
>>
>> That option requires repeating ALL of the matching on the packet.
>
>absolutely not. it is the same as your 'resume' only split on two lines.
Please explain how you would render the following as just two lines
without doing all of the matching twice.
pipe 17 tcp from 0.0.0.1 to any 80 in via tun* established resume 5000
See the problem? (Hint: You can't do it in less than 3 lines -- 4
if you're using a one pass preprocessor because you need to generate
a jump target. And jump targets in IPFW have overhead because there
really is no such thing as a NOP in IPFW. Every rule, even a jump
target, is a counter.)
>whatever. feel free to write a high level interpreter,
>since i don't see it that way you can't expect me to do that :)
I'm certainly not asking for that! I think that the "resume" option
is a good way to deal with the problem.
--Brett Glass
P.S. -- The ability to negate an entire rule (that is, a "short circuit
NAND" of all of the conditions) would also come in handy, though I am not
sure what syntax would be best for it. Maybe placing the "not" before
the action, like this:
not skipto 5000 tcp from 0.0.0.1 to any 80 in via tun* established
Note that this isn't as efficient as a "resume" in the example
I've shown above, but can be very efficient in other situations.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Andre: "Re: PF and "set limit src-nodes" error."
- In reply to: Luigi Rizzo: "Re: Efficient use of Dummynet pipes in IPFW"
- Next in thread: Jeremie Le Hen: "Re: Efficient use of Dummynet pipes in IPFW"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
