On Wed, 1 Feb 2006, Badbanchi Hossein wrote: > What is bothering me is the sentence: > Rules are processed in the order in which they were added to the interface, > and the first rule matched takes the action ... > > Does this really mean that no hash function is used? I mean if I have 20000 > MAC Addresses and want to check **each packet** against this list serially, > I suppose I had better forget about it!
Yes, that's correct. The bridge MAC address rules are implemented using a SIMPLEQ (list). The bridge routecache is hash based though. An alternative approach might be to turn off learning and discovery on the interface and add MAC addresses that are allowed to communicate statically. That way the bridge never sends traffic to unknown addresses. (the incoming traffic is still processed though, so the approach is a bit limited).
