Speed improvements in the new ipmasq package
Package: ipmasq
Version: 3.1.3
Hi,
As the /etc/ipmasq/rules/*.def show, I used to have rules like
# local interface, local machines, going anywhere is valid
$IPFWADM -I -a accept -V `ipofif $int` -S `ipofif $int`/`nmofif $int` -D 0.0.0.0/0
The problem comes when you have a largish number of rules,
like I do. I prefer to close down all access to my machine on the
internet side, and only allow packets in on selected ports from known
sources. This makes for a large number of rules, and the effect of
making two or three calls to ipofif and nmofif per rule was
significantly bogging down the time taken to set up the wall.
Add to the fact that the ipmasq script is supposed to be run
on every dialup (and I have diald, this means every few minutes,
maybe).
Since we do not need to call the ipofif more than once per
session, certainly not a couple of times every rule, this slowdown is
preventable. I have come up with a method of only calling the ipofif
and nmofif once per if per session. I suggest that this be made the
default for the debian ipmasq package.
I came up with this A01interfaces.rul (I propose this become
the installed standard), which gathers the interface data, and stores
the IP and the NM of the interfaces (using eval) once and for
all. Also submitted here is an example excerpt from one of my .rul
file showing how this can be used (I'll be willing to give modified
version of all the *.def files if needed).
Note how eval is used to pass the IP and NM information for
the interfaces to the other rules.
======================================================================
#!/bin/sh
# find interface names
EXTERNAL=`default-if`
INTERNAL=`enumerate-if | grep -v lo`
if [ -n "$EXTERNAL" ]; then
for ext in $EXTERNAL; do
INTERNAL=`echo $INTERNAL | sed -e s/$ext//`
done
fi
# set up the ip and netmasq of all the interfaces
if [ -n "$EXTERNAL" ]; then
for ext in $EXTERNAL; do
IPOFIF=$(ipofif $ext)
NMOFIF=$(nmofif $ext)
eval "IPOFIF_$ext=$IPOFIF"
eval "NMOFIF_$ext=$NMOFIF"
echo "Getting addresses for external $ext: IP=$IPOFIF NM=$NMOFIF"
done
fi
if [ -n "$INTERNAL" ]; then
for int in $INTERNAL; do
IPOFIF=$(ipofif $int)
NMOFIF=$(nmofif $int)
eval "IPOFIF_$int=$IPOFIF"
eval "NMOFIF_$int=$NMOFIF"
echo "Getting addresses for internal $int: IP=$IPOFIF NM=$NMOFIF"
done
fi
======================================================================
I30internal.rul excerpt (the real file is looong, and also,
dissemination os a security breach ;-)
======================================================================
if [ -n "$INTERNAL" ]; then
for int in $INTERNAL; do
ext='';
eval "IPOFIF_INT=\$IPOFIF_$int"
eval "NMOFIF_INT=\$NMOFIF_$int"
echo "I30internal rules $IPFWADM int=$int";
case $MASQMETHOD in
ipfwadm)
# local interface, local machines, going anywhere is valid
$IPFWADM -I -a accept -V $IPOFIF_INT -S $IPOFIF_INT/$NMOFIF_INT -D 0.0.0.0/0
[SNIP]
if [ -n "$EXTERNAL" ]; then
for ext in $EXTERNAL; do
echo "I30internal rules $IPFWADM int=$int ext=$ext"
eval "IPOFIF_EXT=\$IPOFIF_$ext"
eval "NMOFIF_EXT=\$NMOFIF_$ext"
# remote interface, claiming to be local machines, IP
# spoofing, get lost
$IPFWADM -I -a deny -V $IPOFIF_EXT -S $IPOFIF_INT/$NMOFIF_INT -D 0.0.0.0/0 -o
[SNIP]
done
fi
;;
ipchains)
# local interface, local machines, going anywhere is valid
$IPCHAINS -A input -j ACCEPT -i $int -s $IPOFIF_INT/$NMOFIF_INT
if [ -n "$EXTERNAL" ]; then
for ext in "$EXTERNAL" ; do
echo "I30internal rules $IPFWADM int=$int ext=$ext"
eval "IPOFIF_EXT=\$IPOFIF_$ext"
eval "NMOFIF_EXT=\$NMOFIF_$ext"
# remote interface, claiming to be local machines, IP
# spoofing, get lost
$IPCHAINS -A input -j DENY -i $ext -s $IPOFIF_INT/$NMOFIF_INT -o
[SNIP]
done
fi
;;
esac
done
fi
======================================================================
-- System Information
Debian Release: slink
Kernel Version: Linux tiamat 2.0.35 #1 Fri Jul 17 13:07:56 CDT 1998 i486 unknown
Versions of the packages ipmasq depends on:
ii netbase 3.11-1 Basic TCP/IP networking binaries
--
"To IBM, 'open' means there is a modicum of interoperability among
some of their equipment." Harv Masterson
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: