Re: The Future

From: Christian Kratzer <>
Date: Thu, 02 Jan 1997 20:28:37 +0100


> Maybe I'll start the discussion with a wishlist :-)
> Two things I have thought of for a long time but had no time to
> hack them in yet:
> 1) make the ACL module a seperate process.
> Why? We are a ISP in Germany. We primarily provide the squid service
> to our customers. Unfortunately our class C networks are not
> contiguous, so we had a rather long ACL list. We noticed that this
> had caused some significant performance degredations (as squid has
> to check the ACL list on every connection it receives). I have played
> with the order of the ACLs and moved the most frequently used to the
> top of the list. This made things a bit faster. But finally we
> decided to ignore the "holes" in the list and open quasi class B
> nets. This reduced the list from more thn 100 entries to about 20 and
> made squid faster again.
> My idea was to make a seperate module like dnsserver and put all the
> ACL stuff there.

faster ip access lists would also be nice for things like firewall_ip
or local_ip.

The lookup could be made significantly faster by implementing for
a hashtable for each netmask length found. This would reduce lookup
searching a linear list to checking in perhaps 2-3 tables depending on
how many differnt netmasks you have.

A separate process would only make matters more complicated and would
do anything to speed up the lookup. A decent algorithm for ip acl
would do the job far nicer.

Christian Kratzer

TopLink GbR, Internet Services
Christian Kratzer
Phone: 	+49 7452 885 0
Fax: 	+49 7452 885 199		FreeBSD spoken here!
Received on Thu Jan 02 1997 - 11:52:10 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:58 MST