> In some email I received from [EMAIL PROTECTED], sie wrote: > > A simple question: how do I compile the ipf rules into an LKM on Solaris? > > First you need to compile IPFilter to support it. Do this by > uncommenting the followig line in the top level Makefile: > #COMPIPF=-DIPFILTER_COMPILED > > build, and install the ipf LKM with that included. Then you need > to build the ipf rules LKM. Probably the easiest way to do that > is this: > > cd ip_fil4.1.1 > ipf -cc /etc/opt/ipf/ipf.conf > make solaris
Eh, I should have wrote right away that I'm using 3.4.33. The procedure is the same though? > You will then have to go searching for a file called "ipfrule" under > the SunOS5 directory, somewhere - e.g.: > > SunOS5/sparc-5.6/ipfrule > > That is the LKM with the compiled filter rules. Do I stick that in /kernel/drv/? Do I need to edit /etc/system and add the entry for it? If so, what should it look like? > Very significant. I did do some benchmarking of this, originally but I > forget what the performance measurements were, now. > > The improvements in performance come from two areas. The first is that > the packet matching is now all in C, rather than using intermediate > structures. The second is that rather than compare each field, one > at a time, in each rule, it sorts the fields to be matched for each > rule as an optimisation and only does comparisons when the matching > is different. That's exactly what I was hoping for! And on older systems, every CPU cycle counts! I can't wait to try it out.
