URGENT?

[Brett Glass]

At 11:33 PM 3/22/2014, Julian Elischer wrote:

>in ipfw that's up to you..
>but I usually put the check-state quite early in my rule sets.

I don't, because I want packets to touch as few rules as possible 
for the sake of
efficiency. One "check state" can cause an awful lot of work to be done!

In my IPFW rule sets, I divide the work up by interface, and so there's a
"check-state" only for interfaces and directions (in vs. out) to 
which automatically
generated rules will apply.

The problem is that this is still inefficient, because there's only 
one batch of
automatically generated rules, containing some that will never apply in certain
situations. My rule sets would be more efficient if I could divide 
the automatically
created rules into multiple batches, and do "keep-state N" and 
"check-state N" to check
only the batch that needed to be tested in a particular spot. This 
ought to be a relatively
easy patch, and I've thought many times about coding and submitting 
it. "N" would default
to zero, so the old behavior would be preserved if there was no "N" 
at the end so as not
to violate POLA.

>I am working on a new rc.firewall that is much more efficient.
>the trouble is that the script to make it do what I want is a bit 
>more complicated.
>I'll put it out for discussion later. maybe tonight.

Would like to see it!

--Brett Glass