Luigi Rizzo wrote:
> On Fri, Aug 25, 2006 at 03:27:17PM +0200, Ian FREISLICH wrote:
>> Luigi Rizzo wrote:
>>> i am basically ok with this except, as i said, that there is
>>> no point in replicating the interface name i.e. why re0-re5
>>> instead of just re0-5 ? you just open up to possible mistake
On Fri, Aug 25, 2006 at 03:27:17PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > i am basically ok with this except, as i said, that there is
> > no point in replicating the interface name i.e. why re0-re5
> > instead of just re0-5 ? you just open up to possible mistakes
> > and the need for
Luigi Rizzo wrote:
> i am basically ok with this except, as i said, that there is
> no point in replicating the interface name i.e. why re0-re5
> instead of just re0-5 ? you just open up to possible mistakes
> and the need for extra code to check what happens when the user
> types re2-de5 (by mista
trimming the thing...
On Fri, Aug 25, 2006 at 01:41:03PM +0200, Ian FREISLICH wrote:
...
> > the problem i see above is that the 'delta' is really an attribute
> > of the 'vlanA-B' instruction.
> > Say you have this rule:
> >
> > skipto 1000 recv vlan1002-vlan1264
> >
> > does it mean 'skip
Luigi Rizzo wrote:
> On Fri, Aug 25, 2006 at 11:59:14AM +0200, Ian FREISLICH wrote:
> > Luigi Rizzo wrote:
> > > On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> > > > skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delt
a 100
> > > >
> > > > Which for matching i
On Fri, Aug 25, 2006 at 11:59:14AM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> > > skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delta
> > > 100
> > >
> > > Which for matching interfaces calculates the
Luigi Rizzo wrote:
> On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> > skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delta 100
> >
> > Which for matching interfaces calculates the skipto target as:
> >
> > 1000 + (iface# + offset) * delta
> >
> > If you'
On Thu, Aug 24, 2006 at 02:32:04PM +0200, Ian FREISLICH wrote:
> Ian FREISLICH wrote:
> > Luigi Rizzo wrote:
> > > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > > > You're thinking somewhere on the lines of:
> > > >
> > > > skipto base hash-if from to delta
> > > > > [off
Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > > You're thinking somewhere on the lines of:
> > >
> > > skipto base hash-if from to delta [offset ]
This is the syntax I've pretty much settled upon:
skipto 1000 ip from any to a
Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > You're thinking somewhere on the lines of:
> >
> > skipto base hash-if from to delta
> > [offset ]
>
> i did not consider the range in interface numbers,
> but that's a possibility, yes.
That's the only
On Tue, Aug 15, 2006 at 03:21:32PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
...
> > another approach that was suggested long ago was to put, in
> > the interface definition, a starting ipfw rule number so
> > the ip_fw_chk() would start from there if available,
> > rather than from rule 1.
On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> > ...
> > > things. I can also give the ifp->if_index cache a go. Since I
> > > need to virualise the firewall, I need a set of rules for each
>
Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> ...
> > things. I can also give the ifp->if_index cache a go. Since I
> > need to virualise the firewall, I need a set of rules for each
> > interface. I can't think of another way of sharing the firewall
> > b
On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
...
> things. I can also give the ifp->if_index cache a go. Since I
> need to virualise the firewall, I need a set of rules for each
> interface. I can't think of another way of sharing the firewall
> beween a few hundred customers t
Luigi Rizzo wrote:
> On Mon, Jul 31, 2006 at 02:15:56PM +0200, Ian FREISLICH wrote:
> > Hi
> >
> > I was wondering if anyone here had any ideas for improving the
> > performance (packet rate) of ipfw.
> >
> > I have about 500 interfaces on my firewall and I need to match and
> > filter packets on
On Mon, Jul 31, 2006 at 02:15:56PM +0200, Ian FREISLICH wrote:
> Hi
>
> I was wondering if anyone here had any ideas for improving the
> performance (packet rate) of ipfw.
>
> I have about 500 interfaces on my firewall and I need to match and
> filter packets on a per interface basis.
>
> I've f
Hi
I was wondering if anyone here had any ideas for improving the
performance (packet rate) of ipfw.
I have about 500 interfaces on my firewall and I need to match and
filter packets on a per interface basis.
I've found that while the server can move in excess of 360kpps
bewteen arbitrary interf
17 matches
Mail list logo
