On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote: > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > those rules are just "count" rules for me to count bandwidth: > > 001 164994 120444282 count ip from any to 10.10.10.10 > 002 158400 16937232 count ip from 10.10.10.10 to any
Much of your problem is that you're running through all the rules on every packet. ipfw keeps going until it hits an allow or deny rule. Since all rules get counted, I'd suggest putting all your denies up front, and then have allow rules, not count rules, with the most heavily used addresses first. That way, many fewer rules should get interpreted for each packet. An even fancier scheme would use skipto and divide up your IP ranges in a binary search. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
