Re: iptables as a state machine

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tobias DiPasquale <codeslinger@gmail.com>
To: "David S. Miller" <davem@davemloft.net>,
	netfilter-devel <netfilter-devel@lists.netfilter.org>
Subject: Re: iptables as a state machine
Date: Sat, 2 Oct 2004 17:01:33 -0400	[thread overview]
Message-ID: <876ef97a0410021401429a429b@mail.gmail.com> (raw)
In-Reply-To: <20040930193955.6fa24afc.davem@davemloft.net>

On Thu, 30 Sep 2004 19:39:55 -0700, David S. Miller <davem@davemloft.net> wrote:
> I think iptables core IP header + indev + outdev match is a
> state machine problem as well.  Such a state machine can be
> made extremely small memory wise.  The lookup can be something
> like running a berkeley packet filter on the frame.  Except
> that instead of a "yes or no" answer we get a pointer to a
> target.

What about using a n-ary PATRICIA trie to solve this problem? That
would yield O(1)-time matching of rules and the data pointer for each
node in the tree could be the list of targets that apply to that
particular IP/subnet? Not sure how ranges would work yet, though if
they didn't fit into a CIDR block...

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

next prev parent reply	other threads:[~2004-10-02 21:01 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-10-01  2:39 iptables as a state machine David S. Miller
2004-10-01  3:47 ` shemminger
2004-10-01  4:01   ` David S. Miller
2004-10-01  8:24     ` Thomas Heinz
2004-10-01 19:46       ` David S. Miller
2004-10-01 20:26         ` Thomas Heinz
2004-10-01 20:33         ` Stephen Hemminger
2004-10-01 11:12     ` Henrik Nordstrom
2004-10-01 12:06       ` Henrik Nordstrom
2004-10-02  8:44   ` Roberto Nibali
2004-10-02 14:42     ` Henrik Nordstrom
2004-10-04 10:04     ` Jozsef Kadlecsik
2004-10-04 15:51     ` Stephen Hemminger
2004-10-01 20:06 ` Gonzalo A. Arana
2004-10-02 21:01 ` Tobias DiPasquale [this message]
2004-10-02 21:52   ` Thomas Heinz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=876ef97a0410021401429a429b@mail.gmail.com \
    --to=codeslinger@gmail.com \
    --cc=davem@davemloft.net \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.