> Actually, there wouldn't be any real performance penalty, because these > embrionic states are in effect only a tree sorted list of one shot rules. > > When they match they're removed from the embrionic tree, filled in with > some other details, and moved to the normal state tree. It's just done > faster than if you added rules to match the same things.
Though I hate to make performance-based arguments without any code to make an evaluation on, I have to say this makes me feel uneasy. It seems to me the only time the filter would NOT have to search the embryonic state table is: 1) If an existing state is matched 2) If the entire embryonic rule list is empty. So basically, every potentially state-creating packet is going to have to traverse this list. Sure, you can use skip steps to minimize the cost of the traversal, but this still seems like a hell of a hit. And though I like the idea of rule templates, I can't help but wonder if we can't achieve the same thing (limiting what kind of rules a proxy can insert) just by some well-thought-out "block [in/out] quick uid foo-proxy" rules (assuming the proxy's dynamic rules are added at the end.) -kj
