Re: Firewalling Rules

Keith Owens (kaos@ocs.com.au)
Sat, 01 Nov 1997 19:56:41 +1100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Edward Welbon: "Re: Strange printer problem booting 2.1.6[01]"
Previous message: linux kernel account: "Re: Linux 2.0 and 2.1 stability.."

On Fri, 31 Oct 1997 10:47:51 -0500 (EST),
"Richard B. Johnson" <root@chaos.analogic.com> wrote:
>I have not looked at the firewall code. However, I think that firewall
>rules just create and/or modify entries within a hash-table or two. [snip]
>I hope that, if there are 'N' rules, there are not 'N' entries that have
>to be scanned for every incoming packet. If so, you could make better
>use of your time rewriting the packet filter.

It's a serial chain for each rule type (-I/-O/-F). Firewall code
serially scans the relevant chain until it finds an entry that matches
or drops off the end and uses the policy setting. The masquerade port
lookup is hashed but the rules are not.

IMHO there is no chance of firewall rules being hashed. The design of
the filter requires that the rules be scanned top to bottom. However
there is hope, "Paul Rusty Russell" <Paul.Russell@rustcorp.com.au> has
written patches (http://www.adelaide.net.au/~rustcorp) to represent the
rules as a tree with user defined structure. Makes rule scanning
faster and it is easier to test new firewall configurations.

Next message: Edward Welbon: "Re: Strange printer problem booting 2.1.6[01]"
Previous message: linux kernel account: "Re: Linux 2.0 and 2.1 stability.."