Re: The Future

Hi,

> Maybe I'll start the discussion with a wishlist :-)
> Two things I have thought of for a long time but had no time to
> hack them in yet:
> 1) make the ACL module a seperate process.
> Why? We are a ISP in Germany. We primarily provide the squid service
> to our customers. Unfortunately our class C networks are not
> contiguous, so we had a rather long ACL list. We noticed that this
> had caused some significant performance degredations (as squid has
> to check the ACL list on every connection it receives). I have played
> with the order of the ACLs and moved the most frequently used to the
> top of the list. This made things a bit faster. But finally we
> decided to ignore the "holes" in the list and open quasi class B
> nets. This reduced the list from more thn 100 entries to about 20 and
> made squid faster again.
> My idea was to make a seperate module like dnsserver and put all the
> ACL stuff there.

faster ip access lists would also be nice for things like firewall_ip
or local_ip.

The lookup could be made significantly faster by implementing for
example
a hashtable for each netmask length found. This would reduce lookup
from
searching a linear list to checking in perhaps 2-3 tables depending on
how many differnt netmasks you have.

A separate process would only make matters more complicated and would
not
do anything to speed up the lookup. A decent algorithm for ip acl
lookup
would do the job far nicer.

Greetings
Christian Kratzer
TopLink

-- 
TopLink GbR, Internet Services				info@toplink.net
Christian Kratzer					http://www.toplink.net/
Phone: 	+49 7452 885 0
Fax: 	+49 7452 885 199		FreeBSD spoken here!