From: James (james@towardex.com)
Date: Mon Jan 31 2005 - 14:37:22 GMT-3
On Mon, Jan 31, 2005 at 11:59:19AM +0200, Danshtr wrote:
> Thanks, but I was more looking for how is it implemented.
> Do the order of the acl matters?
> Is it similar to skip states of OpenBSD PF?
No. OpenBSD pf(4) establishes state to match subsequent packets. While pf(4)'s
skip-state is a fast mechanism, if you were to do that on a backbone core router
moving large amounts of varying flows, your box will crash under 2 minutes flat
due to pool exhaustion. (Yes. me == been there done that)
pf(4) is more similar to Netflow or IP Fast Cache on Cisco in the manner it
functions.
Turbo ACL, also known as Compiled ACL simply recompiles your ruleset into a
set of lookup tables, kind of like HiPac extension for iptables.
OpenBSD pf(4) by default also does 'skip step' or "skip-stepping" on line by
line rule evaluations. So if you group your rules by elements like interface
matches, it will skip all the irrelevant rules after first time of match.
Skip stepping is at least little bit close to Cisco's TurboACL approach.
-J
-- James Jun TowardEX Technologies, Inc. Technical Lead Boston IPv4/IPv6 Web Hosting, Colocation and james@towardex.com Network design/consulting & configuration services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:27 GMT-3