Re: Firewalling Rules (Was: Linux Kernels)

Richard B. Johnson (root@chaos.analogic.com)
Fri, 31 Oct 1997 10:47:51 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Hawes: "Re: dcache/inode management patch -- please test!"
Previous message: Bill Hawes: "Re: Ugh in 2.1.60"

On Fri, 31 Oct 1997, Matthew Kirkwood wrote:
[SNIPPED]
>
> Having heard various (and unconvincing) horror stories about the effect
> that having many firewalling rules can have on network latency, I thought
> up this foolish plan: firewall modules
>
> Compile up a (or perhaps more than one) little module with enough code in
> it to handle, in an intelligent way all of the firewalling that you
> require.
>
> Compile it with -O8 (or turn the 8 on its side :), and insmod the thing so
> that your rules are, in essence, hardcoded and (of course :-) written
> cunningly to minimise time taken in refusing all packets from 207.68.x.x.
>
> It is, perhaps, unacceptably hacky, but could save a few cycles every now
> and then...
>
> So -- Am I a fool, or should I make some hacking time this weekend? :)
>
> Matthew.

I have not looked at the firewall code. However, I think that firewall
rules just create and/or modify entries within a hash-table or two. If so,
you are just adding/modifying entries to an existing table when using
the cumbersome utility. The code should already be somewhat optimized so
your net-gain from a lot of work might be near zero.

I hope that, if there are 'N' rules, there are not 'N' entries that have
to be scanned for every incoming packet. If so, you could make better
use of your time rewriting the packet filter.

Cheers,
Dick Johnson

Richard B. Johnson
Project Engineer
Analogic Corporation
Penguin : Linux version 2.1.60 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.

Next message: Bill Hawes: "Re: dcache/inode management patch -- please test!"
Previous message: Bill Hawes: "Re: Ugh in 2.1.60"