On Fri, Dec 20, 2002 at 06:31:03PM +0100, Cedric Berger wrote:
> Assuming that each host needs X rules, it becomes N x X, which in my
> case, could
> easily be 10'000 x 10, which is huge, and a PITA to manage (i.e remove
> and add
> addresses).
The primary application would be in a case like this:
block
pass in from { s1, s2, ..., sN } to { d1, d2, ..., dM } keep state
Now imagine N and M are huge, like N=10000 and M=10000.
If you expand this, you get 1E8 rules, and those are going to hurt
performance very badly when they are evaluated. And whenever the first
combination is evaluated, the entire block will be, as skip steps don't
work inside the entire block (no parameters are equal in subsequent
rules).
If you have two hash tables for s1-N and d1-M with a single rule
pass in from <hash-table-s> to <hash-table-d> keep state
evaluation is as cheap as evaluating any single rule (2*O(1)), and it
doesn't matter how large N and M are.
I'll have to study the pf changes. It depends on the cost introduced to
detect whether the source/destination address in a rule is pointing to a
hash table. The constant cost added by this is clearly irrelevant when
the rule indeed uses hash tables with many entries, but it also occurs
for each ordinary rule. If you have lots of normal rules, it may matter.
Daniel
