Re: Firewalling Rules (Was: Linux Kernels)

Rogier Wolff (R.E.Wolff@BitWizard.nl)
Fri, 31 Oct 1997 17:43:22 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rogier Wolff: "Re: Ugh in 2.1.60"
Previous message: Dieter Nuetzel: "2.1.60+ AMD K6/+/3D/3D+ patch"
Next in thread: Richard B. Johnson: "Re: Firewalling Rules (Was: Linux Kernels)"
Reply: Richard B. Johnson: "Re: Firewalling Rules (Was: Linux Kernels)"

Richard B. Johnson wrote:
>
> On Fri, 31 Oct 1997, Matthew Kirkwood wrote:
> [SNIPPED]
> >
> > Having heard various (and unconvincing) horror stories about the effect
> > that having many firewalling rules can have on network latency, I thought
> > up this foolish plan: firewall modules
> >
> > Compile up a (or perhaps more than one) little module with enough code in
> > it to handle, in an intelligent way all of the firewalling that you
> > require.
> >
> > Compile it with -O8 (or turn the 8 on its side :), and insmod the thing so
> > that your rules are, in essence, hardcoded and (of course :-) written
> > cunningly to minimise time taken in refusing all packets from 207.68.x.x.
> >
> > It is, perhaps, unacceptably hacky, but could save a few cycles every now
> > and then...
> >
> > So -- Am I a fool, or should I make some hacking time this weekend? :)
> >
> > Matthew.
>
> I have not looked at the firewall code. However, I think that firewall
> rules just create and/or modify entries within a hash-table or two. If so,
> you are just adding/modifying entries to an existing table when using
> the cumbersome utility. The code should already be somewhat optimized so
> your net-gain from a lot of work might be near zero.
>
> I hope that, if there are 'N' rules, there are not 'N' entries that have
> to be scanned for every incoming packet. If so, you could make better
> use of your time rewriting the packet filter.

I don't think many people are hitting performance problems on firewall
rules, but there was a discussion a while back where I showed that it
could be done to translate a firewall config file into a C program.

gcc compiles this, and you can insmod it into the kerel. No problem.

I don't think you can work with has tables easily: you don't know how
specific a rule is going to hit this packet. So you cannot generate a
usable hash-code from a packet that just came in that will point you
towards the right firewall rule. If all rules would specify a complete
host, then you'd be able to make a hash based on the source IP. However
now you've got 32 possible netmasks that might make a rule match.

You might make 32 hashtables, and iterate over these 32 possibilities
at every packet, but that will only become advantageous at very large
numbers of firewall rules.

Aren't your firewall rules wrong if you cannot lump many of them
together?

Roger.

-- 
** R.E.Wolff@BitWizard.nl ** +31-15-2137555 ** http://www.BitWizard.nl/ **
Florida -- A 39 year old construction worker woke up this morning when a
109-car freight train drove over him. According to the police the man was 
drunk. The man himself claims he slipped while walking the dog. 080897

Next message: Rogier Wolff: "Re: Ugh in 2.1.60"
Previous message: Dieter Nuetzel: "2.1.60+ AMD K6/+/3D/3D+ patch"
Next in thread: Richard B. Johnson: "Re: Firewalling Rules (Was: Linux Kernels)"
Reply: Richard B. Johnson: "Re: Firewalling Rules (Was: Linux Kernels)"