It is a linear lookup - that is the only way to do it and not screw up the
order of the rules. And order is EXTREMELY important. A small change in
the order of rules can wreck a filter's effectiveness.
No hard limit. But the rule of thumb is to keep it as short as possible.
Also, put the rules you expect to have the most hits at the top. Like a
'permit tcp estab' rule on an input filter. Always put any anti-spoofing
rules first, then follow with the most commonly hit. Since the filter is
parsed only until a rul matches (or the end is reached with the implicit
deny) it doesn't matter how long the list is. If the packet matchs on rule
4, it may as well only be 4 lines long, the rest is not parsed.
-MZ
-- Livingston Enterprises - Chair, Department of Interstitial Affairs Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com For support requests: support@livingston.com <http://www.livingston.com/> Snail mail: 6920 Koll Center Parkway #220, Pleasanton, CA 94566 See me in person: Internet Expo, Boston, MA, October 16-17, Booth 422 ;-)