question regrading update for | firewall: use tables in the shaper to avoid breaking ipfw with too many addresses
I previously had to break rules down due to too many CIDR addresses in a single rule, will this allow me to consolidate those rules and if so, what system parameters for tables should I keep an eye on or prepare to expand to handle large CIDR sets?
Yes. The problem with ipfw tables is that they process a lot slower than their pf counterparts so large address lists are not a good idea. But for now this enables more parity between the two in how the source and destination is handled.
We are talking about ways to support aliases there, but for the performance reason mentioned we can't just allow dumping huge pf tables into ipfw.
Cheers,
Franco