From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 5 02:02:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9A8416A4CE for ; Thu, 5 Aug 2004 02:02:56 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4EBF43D2D for ; Thu, 5 Aug 2004 02:02:56 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 6ABDD2F929; Wed, 4 Aug 2004 22:02:56 -0400 (EDT) Date: Wed, 4 Aug 2004 22:02:56 -0400 From: James To: Evgeny Ivanov Message-ID: <20040805020256.GA52484@scylla.towardex.com> References: <40FF6220.9030506@sofia.itdnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40FF6220.9030506@sofia.itdnet.net> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables Again X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 02:02:56 -0000 > > The question is: can I do it for about 200 users, and would that affect > the machine performance. > Because the table will be checked many many times. Can you please advice > me ? The table itself is a patricia trie. Which means the lookup of the nodes within the table (i.e. all the IP's inside table(1)) is always O(32) constant lookup. However, your problem is elsewhere. You have many potentially increasing number of IPFW *RULES.* The ruleset (i.e. rule 00001 to 65535) is processed in a linked list at rate of O(N) linear lookup. The more rules the firewall has to pass the packet around = the slower the performance and more potential for added latency. It was first a linear { x or y } brace blocks to compress the number of vertical rules passed. But the { x or y } blocks are also processed in a linear lookup which doesn't really improve any performance. Then now we have the table lookup to improve the performance for rules compressed into a table rule. Problem with your setup is that your rules aren't exactly compressed. Your setup has the potential for increasing amount of rules which I am afraid are linear lookup based. Consider using skipto's and/or structure your IPFW rules using skipto's so that it becomes more efficient/predictable. It would be good to see a form of 'compiled ACL' for IPFW publicly available (there are couple proprietary commercial modifications i am aware of) some day :-D May be format it little similar to a TCAM table, where firewall matches dest|src prefix + mask based on a bit trie (i.e. patricia trie or multibit), then do hash lookup on values within the matching table (i.e. sourcd port/ dest port)? I am sure there are other and probably more efficient ways to do it too. -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net