Speed improvements in the new ipmasq package

To: debian-user@lists.debian.org
Cc: ipmasq@packages.debian.org
Subject: Speed improvements in the new ipmasq package
From: Manoj Srivastava <srivasta@datasync.com>
Date: 23 Sep 1998 10:44:23 -0500
Message-id: <[🔎] 87d88momug.fsf@tiamat.datasync.com>
Package: ipmasq
Version: 3.1.3

Hi,

	As the /etc/ipmasq/rules/*.def show, I used to have rules like
# local interface, local machines, going anywhere is valid
$IPFWADM -I -a accept -V `ipofif $int` -S `ipofif $int`/`nmofif $int` -D 0.0.0.0/0

	The problem comes when you have a largish number of rules,
 like I do. I prefer to close down all access to my machine on the
 internet side, and only allow packets in on selected ports from known
 sources. This makes for a large number of rules, and the effect of
 making two or three calls to ipofif and nmofif per rule was
 significantly bogging down the time taken to set up the wall.

	Add to the fact that the ipmasq script is supposed to be run
 on every dialup (and I have diald, this means every few minutes,
 maybe).

	Since we do not need to call the ipofif more than once per
 session, certainly not a couple of times every rule, this slowdown is
 preventable. I have come up with a method of only calling the ipofif
 and nmofif once per if per session. I suggest that this be made the
 default for the debian ipmasq package.

	I came up with this A01interfaces.rul (I propose this become
 the installed standard), which gathers the interface data, and stores
 the IP and the NM of the interfaces (using eval) once and for
 all. Also submitted here is an example excerpt from one of my .rul
 file showing how this can be used (I'll be willing to give modified
 version of all the *.def files if needed).

	Note how eval is used to pass the IP and NM information for
 the interfaces to the other rules.

======================================================================
#!/bin/sh

# find interface names
EXTERNAL=`default-if`
INTERNAL=`enumerate-if | grep -v lo`

if [ -n "$EXTERNAL" ]; then
    for ext in $EXTERNAL; do
        INTERNAL=`echo $INTERNAL | sed -e s/$ext//`
    done
fi

# set up the ip and netmasq of all the interfaces
if [ -n "$EXTERNAL" ]; then
    for ext in $EXTERNAL; do
	IPOFIF=$(ipofif $ext)
	NMOFIF=$(nmofif $ext)
	eval "IPOFIF_$ext=$IPOFIF"
	eval "NMOFIF_$ext=$NMOFIF"
	echo "Getting addresses for external $ext: IP=$IPOFIF NM=$NMOFIF"
    done
fi


if [ -n "$INTERNAL" ]; then
    for int in $INTERNAL; do
	IPOFIF=$(ipofif $int)
	NMOFIF=$(nmofif $int)
	eval "IPOFIF_$int=$IPOFIF"
	eval "NMOFIF_$int=$NMOFIF"
	echo "Getting addresses for internal $int: IP=$IPOFIF NM=$NMOFIF"
    done
fi
======================================================================

I30internal.rul excerpt (the real file is looong, and also,
dissemination os a security breach ;-)

======================================================================
if [ -n "$INTERNAL" ]; then
 for int in $INTERNAL; do
  ext='';
  eval "IPOFIF_INT=\$IPOFIF_$int"
  eval "NMOFIF_INT=\$NMOFIF_$int"
  echo "I30internal  rules $IPFWADM int=$int";
  case $MASQMETHOD in
    ipfwadm)
     # local interface, local machines, going anywhere is valid
     $IPFWADM -I -a accept -V $IPOFIF_INT -S $IPOFIF_INT/$NMOFIF_INT -D 0.0.0.0/0

[SNIP]

     if [ -n "$EXTERNAL" ]; then
       for ext in $EXTERNAL; do
        echo "I30internal rules $IPFWADM int=$int ext=$ext"
        eval "IPOFIF_EXT=\$IPOFIF_$ext"
        eval "NMOFIF_EXT=\$NMOFIF_$ext"
        # remote interface, claiming to be local machines, IP
        # spoofing, get lost 
        $IPFWADM -I -a deny -V $IPOFIF_EXT -S $IPOFIF_INT/$NMOFIF_INT -D 0.0.0.0/0 -o

[SNIP]

      done
     fi
     ;;
   ipchains)
     # local interface, local machines, going anywhere is valid
     $IPCHAINS -A input -j ACCEPT -i $int -s $IPOFIF_INT/$NMOFIF_INT 
     if [  -n "$EXTERNAL"  ]; then
       for ext in "$EXTERNAL" ; do
         echo "I30internal rules $IPFWADM int=$int ext=$ext"
         eval "IPOFIF_EXT=\$IPOFIF_$ext"
         eval "NMOFIF_EXT=\$NMOFIF_$ext"
         # remote interface, claiming to be local machines, IP
         # spoofing, get lost 
         $IPCHAINS -A input -j DENY -i $ext -s $IPOFIF_INT/$NMOFIF_INT -o

[SNIP]

         done
       fi
       ;;
   esac
 done
fi
======================================================================


-- System Information
Debian Release: slink
Kernel Version: Linux tiamat 2.0.35 #1 Fri Jul 17 13:07:56 CDT 1998 i486 unknown

Versions of the packages ipmasq depends on:
ii  netbase         3.11-1         Basic TCP/IP networking binaries

-- 
 "To IBM, 'open' means there is a modicum of interoperability among
 some of their equipment." Harv Masterson
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
Reply to:
Prev by Date: kernel 2.1.xx
Next by Date: Re: pppd on leased line
Previous by thread: Re: kernel 2.1.xx
Next by thread: X PHYSICAL WINDOW 2 BIG!
Index(es):
- Date
- Thread