Making, drinking tea and reading an opus magnum from Henning Brauer:
> On Fri, Dec 20, 2002 at 06:38:58PM +0100, Daniel Hartmeier wrote:
> > On Fri, Dec 20, 2002 at 06:31:03PM +0100, Cedric Berger wrote:
> >
> > > Assuming that each host needs X rules, it becomes N x X, which in my
> > > case, could
> > > easily be 10'000 x 10, which is huge, and a PITA to manage (i.e remove
> > > and add
> > > addresses).
> >
> > The primary application would be in a case like this:
> >
> > block
> > pass in from { s1, s2, ..., sN } to { d1, d2, ..., dM } keep state
> >
> > Now imagine N and M are huge, like N=10000 and M=10000.
>
> well, that sucks. you can justify any code with any imaginary setup.
i do not understand you persistant resistance here, but even
simple class-c network and M ports on each and K source addrs,
gives K*M*256, say M=4, K=8 is 8192,
compared that to one hash lookup of O(1) is a serious
gain, and that is not imaginary guitar notes, dude.
> > I'll have to study the pf changes. It depends on the cost introduced to
> > detect whether the source/destination address in a rule is pointing to a
> > hash table.
>
> well then let's look at it post-3.3. It's too late, too big, and too many
> stuff has already changed.
hmm, it's four months before the next release, given at least
two months for an easy playing around and properly designed code
this is plenty of time to deal w/ it, if played fast and careful.
in the worst case, easy to disable.
cu
--
paranoic mickey (my employers have changed but, the name has remained)
