[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?

> Actually, there wouldn't be any real performance penalty, because these
> embrionic states are in effect only a tree sorted list of one shot rules.
> When they match they're removed from the embrionic tree, filled in with
> some other details, and moved to the normal state tree. It's just done
> faster than if you added rules to match the same things.
Though I hate to make performance-based arguments without any code
to make an evaluation on, I have to say this makes me feel uneasy.
It seems to me the only time the filter would NOT have to search the embryonic
state table is:
1) If an existing state is matched
2) If the entire embryonic rule list is empty.
So basically, every potentially state-creating packet is going to have
to traverse this list. Sure, you can use skip steps to minimize the
cost of the traversal, but this still seems like a hell of a hit.
And though I like the idea of rule templates, I can't help but wonder
if we can't achieve the same thing (limiting what kind of rules a
proxy can insert) just by some well-thought-out "block [in/out] quick
uid foo-proxy" rules (assuming the proxy's dynamic rules are added at
the end.)