> On Fri, 31 Oct 1997 10:47:51 -0500 (EST),
> "Richard B. Johnson" <root@chaos.analogic.com> wrote:
> >I have not looked at the firewall code. However, I think that firewall
> >rules just create and/or modify entries within a hash-table or two. [snip]
> >I hope that, if there are 'N' rules, there are not 'N' entries that have
> >to be scanned for every incoming packet. If so, you could make better
> >use of your time rewriting the packet filter.
>
> It's a serial chain for each rule type (-I/-O/-F). Firewall code
> serially scans the relevant chain until it finds an entry that matches
> or drops off the end and uses the policy setting. The masquerade port
> lookup is hashed but the rules are not.
>
> IMHO there is no chance of firewall rules being hashed. The design of
> the filter requires that the rules be scanned top to bottom. However
> there is hope, "Paul Rusty Russell" <Paul.Russell@rustcorp.com.au> has
> written patches (http://www.adelaide.net.au/~rustcorp) to represent the
> rules as a tree with user defined structure. Makes rule scanning
> faster and it is easier to test new firewall configurations.
>
>
Thanks. I think the new Cisco routers have implemented some kind of
hashing to speed up throughput. Maybe Alexy Kusnetsov could comment. He
knows the Cisco routers. If Linux is going to increase its exposure
into the routing area, perhaps a wizard would take that on.
Cheers,
Dick Johnson
Richard B. Johnson
Project Engineer
Analogic Corporation
Penguin : Linux version 2.1.60 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.