On Fri, Dec 20, 2002 at 06:38:58PM +0100, Daniel Hartmeier wrote:
> On Fri, Dec 20, 2002 at 06:31:03PM +0100, Cedric Berger wrote:
>
> > Assuming that each host needs X rules, it becomes N x X, which in my
> > case, could
> > easily be 10'000 x 10, which is huge, and a PITA to manage (i.e remove
> > and add
> > addresses).
>
> The primary application would be in a case like this:
>
> block
> pass in from { s1, s2, ..., sN } to { d1, d2, ..., dM } keep state
>
> Now imagine N and M are huge, like N=10000 and M=10000.
well, that sucks. you can justify any code with any imaginary setup.
> I'll have to study the pf changes. It depends on the cost introduced to
> detect whether the source/destination address in a rule is pointing to a
> hash table.
well then let's look at it post-3.3. It's too late, too big, and too many
stuff has already changed.
