On Tue, Sep 14, 1999 at 03:33:37PM -0400, Bill Sommerfeld wrote:
> The data you've collected shows a roughly linear relationship between
> number of rules and forwarding delay, which makes sense assuming that
> ipf is just trying rules one at a time, in order.
> 
> It's possible to build more sophisticated data structures for filter
> rule matching but given that the typical ipf filter i've seen uses
> fewer than 100 rules, it's not clear that this will help the typical
> use of ipf..
> 
> For your application, it may make sense for you to find a different
> hammer..  (what are you trying to do, anyway?)

Additionally, you specifically stated that you didn't use 'quick' in
any of the rules. Would you mind running the test with quick on all
the rules? Depending on the distibution of destination, it should cut
the workload in half. If the addresses for your rules don't overlap,
you could then optimize the most used rules to the top of the list.

If you have rules that do overlap subnets, you could generate the
total by adding the smaller networks at 'stats' time. (Assuming you
aren't collecting for a portion of a subnet, and the whole net, 
but not another portion - if so, change the whole subnet one to collect
the other portion with a quick rule, and sum the counts later.)

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville