> 
> On Tue, 14 Sep 1999, David Maxwell wrote:
> 
> > Additionally, you specifically stated that you didn't use 'quick' in
> > any of the rules. Would you mind running the test with quick on all
> > the rules? Depending on the distibution of destination, it should cut
> > the workload in half. If the addresses for your rules don't overlap,
> > you could then optimize the most used rules to the top of the list.
> 
> In the case of optimization, you have to keep track of hits, but I'm sure it
> could be done.  It would would be nice if the kernel could do this.

I'd rather it didn't.  The rules that you put in should be the rules that
get used/run.  FW-1 does "optimization" for you and that has some nasty
side effects (such as crypto not being required, etc).

I would really be interested in seeing the difference using head/group makes
to the performance.  This is the first time anyone's done any independant
testing of IP Filter for performance, which makes it quite valuable to me.

Darren