SEO
vBulletin Search Engine Optimization
| |||||||
![Re: Skipping interfaces in pf [was: pf filtering on loopback?]](http://unixadmintalk.com/iconimages/f20/re-skipping-interfaces-pf-pf-filtering-loopback_ltr.gif)
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 07:29 AM
| ||||
| ||||
 Re: Skipping interfaces in pf [was: pf filtering on loopback?] On Tuesday 14 December 2004 20:39, Mike Frantzen wrote: > > Another thread on freebsd-net: > > http://lists.freebsd.org/pipermail/f...er/005906.html > > is discussing the possible overhead with filtering interfaces that do not > > transport any IP-level data or in setups with huge LAN pipes that you > > don't want to filter on. > > That thread is long and I'm lazy, but why not just prefix your ruleset > with: Well, you could at least take the time to read my message completely: | To give some more motivation think of a setup where you have some GigE | interfaces facing your LAN/DMZ and you don't want to filter them (which is | very common). You will write a ruleset like: | | block all | pass on { $if0, $if1, ... $ifN } | #ruleset goes here | | The optimizer will also put these rules in front of the processing as there | are a lot of matches. Still every packet on $ifN will have to go through N | rules (skip-steps don't help) and every packet that really is filtered has | that O(N) overhead in front as well. > no scrub on $SKIP_INTERFACES > no rdr on $SKIP_INTERFACES > no nat on $SKIP_INTERFACES > pass quick on $SKIP_INTERFACES > > It'll check the state tree first but that's only O(log n). I've had a Oh, forgot about the state-checks. True, that's another problem as well. > custom PF port filtering on a 4.8 box before (in hard interrupt context > at that) and there was no problem with a saturated gig link and a light > ruleset. It wasn't touching your routing code or stack though. I am not saying that it is a problem with a "light ruleset", it works just fine. All I am saying, that it is quite easy to improve things here with a quite simple mechanism. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [demime 0.98d removed an attachment of type application/pgp-signature]      |
 |
« Re: Skipping interfaces in pf [was: pf filtering on loopback?]
|
Re: ksh file name completion oddity / ksh cleanup question »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 12:56 PM.
