finding optimal ipfw strategy
Eugene Grosbein
eugen at grosbein.net
Wed Aug 28 17:20:07 UTC 2019
28.08.2019 23:58, Victor Gamov wrote:
> P.S. Two questions about rules syntax optimization. What is more effective:
> skipto tablearg udp from any to table(AllMcast_out)
> or
> skipto tablearg udp from any to table(AllMcast_out) out xmit vlan*
Can't tell, this heavily depends on table contents and internal order of checks
in kernel part of ipfw but general rule should still apply: less checks, better performance.
> I hope I can place such rule at top of ruleset and only allowed multicast packets outgoing via VLANs interfaces will hit this rule.
>
> and second:
> allow udp from $src1 to { 239.1.2.55 or 239.1.2.56 }
> or
> allow udp from src1 to 239.1.2.0/24{55,56}
Last one should me much more efficient as it just needs to perform a couple of 32-bit masking operations
and previous one is more general (IP addresses may belong to different networks) and requires slower search.
More information about the freebsd-net
mailing list