From owner-freebsd-net@FreeBSD.ORG Tue Apr 28 06:52:00 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE9E3106566B for ; Tue, 28 Apr 2009 06:52:00 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outP.internet-mail-service.net (outp.internet-mail-service.net [216.240.47.239]) by mx1.freebsd.org (Postfix) with ESMTP id 55AC08FC0C for ; Tue, 28 Apr 2009 06:51:59 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 6E02F14DDAD; Mon, 27 Apr 2009 23:51:59 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 62B7E2D6229; Mon, 27 Apr 2009 23:51:58 -0700 (PDT) Message-ID: <49F6A796.4060100@elischer.org> Date: Mon, 27 Apr 2009 23:52:06 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: ddg@yan.com.br References: <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org> <49F1DBAE.1080205@yan.com.br> <49F235F4.2030202@elischer.org> <49F5D8A3.3050805@yan.com.br> In-Reply-To: <49F5D8A3.3050805@yan.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Apr 2009 06:52:01 -0000 Daniel Dias Gonçalves wrote: > Julian, > > You could give an example of rules with tables? I'm sorry I forgot that you want to count packets from each client. tables won't work for that. for counting I suggest the technique I show below, but for just allowing, you can add allowable addresses to a table, e.g. table 1 add 1.2.3.4 and test it with allow ip from table (1) to any > > Julian Elischer escreveu: >> Daniel Dias Gonçalves wrote: >>> Very good thinking, congratulations, but my need is another. >>> The objective is a Captive Porrtal that each authentication is >>> dynamically created a rule to ALLOW or COUNT IP authenticated, which >>> I'm testing is what is the maximum capacity of rules supported, >>> therefore simultaneous user. >>> >>> Understand ? >>> >> I think so. >> >> >> do not add rules. >> have a single rule that looks in a table >> and add entries to the table when needed. >> >>> Thanks, >>> >>> Daniel >>> >>> Julian Elischer escreveu: >>>> Daniel Dias Gonçalves wrote: >>>>> Hi, >>>>> >>>>> My system is a FreeBSD 7.1R. >>>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my >>>>> interfaces increases the latency, causing large delays in the >>>>> network, when I delete COUNT rules, everything returns to normal, >>>>> which can be ? >>>>> >>>>> My script: >>>> >>>> of course adding 512 rules, *all of which hav eto be evaluated* will >>>> add latency. >>>> >>>> you have several ways to improve this situation. >>>> >>>> 1/ use a differnet tool. >>>> By using the netgraph netflow module you can get >>>> accunting information that may be more useful and less impactful. >>>> >>>> 2/ you could make your rules smarter.. >>>> >>>> use skipto rules to make the average packet traverse less rules.. >>>> >>>> off the top of my head.. (not tested..) >>>> >>>> Assuming you have machines 10.0.0.1-10.0.0.254.... >>>> the rules below have an average packet traversing 19 rules and not >>>> 256 for teh SYN packet and 2 rules for others.. >>>> you may not be able to do the keep state trick if you use state for >>>> other stuff but in that case worst case will still be 19 rules. >>>> >>>> 2 check-state >>>> 5 skipto 10000 ip from not 10.0.0.0/24 to any >>>> 10 skipto 2020 ip from not 10.0.0.0/25 to any # 0-128 >>>> 20 skipto 1030 ip from not 10.0.0.0/26 to any # 0-64 >>>> 30 skipto 240 ip from not 10.0.0.0/27 to any # 0-32 >>>> 40 skipto 100 ip from not 10.0.0.0/28 to any # 0-16 >>>> [16 count rules for 0-15] >>>> 80 skipto 10000 ip from any to any >>>> 100 [16 count rules for 16-31] keep-state >>>> 140 skipto 10000 ip from any to any >>>> 240 skipto 300 ip from not 10.0.0.32/28 >>>> [16 rules for 32-47] keep-state >>>> 280 skipto 10000 ip from any to any >>>> 300 [16 count rules for 48-63] keep-state >>>> 340 skipto 10000 ip from any to any >>>> 1030 skipto 1240 ip from not 10.0.0.64/27 to any >>>> 1040 skipto 1100 ip from not 10.0.0.64/28 to any >>>> [16 count rules for 64-79] keep-state >>>> 1080 skipto 10000 ip from any to any >>>> 1100 [16 rules for 80-95] keep-state >>>> 1140 skipto 10000 ip from any to any >>>> 1240 skipto 1300 ip from not 10.0.0.96/28 to any >>>> [16 count rules for 96-111] keep-state >>>> 1280 skipto 10000 ip from any to any >>>> 1300 [16 rules for 112-127] keep-state >>>> 1340 skipto 10000 ip from any to any >>>> 2020 skipto 3030 ip from not 10.0.0.128/26 to any >>>> 2030 skipto 2240 ip from not 10.0.0.128/28 to any >>>> [16 count rules for 128-143] keep-state >>>> 2080 skipto 10000 ip from any to any >>>> 2100 [16 rules for 144-159] keep-state >>>> 2140 skipto 10000 ip from any to any >>>> 2240 skipto 2300 ip from not 10.0.0.32/28 to any >>>> [16 count rules for 160-175] keep-state >>>> 2280 skipto 10000 ip from any to any >>>> 2300 [16 count rules for 176-191] keep-state >>>> 2340 skipto 10000 ip from any to any >>>> 3030 skipto 3240 ip from not 10.0.0.192/27 to any >>>> 3040 skipto 3100 ip from not 10.0.0.192/28 to any >>>> [16 count rules for 192-207] keep-state >>>> 3080 skipto 10000 ip from any to any >>>> 3100 [16 rules for 208-223] keep-state >>>> 3240 skipto 10000 ip from any to any >>>> 3240 skipto 3300 ip from not 10.0.0.224/28 to any >>>> [16 count rules for 224-239] keep-state >>>> 3280 skipto 10000 ip from any to any >>>> 3300 [16 count rules for 240-255] keep-state >>>> 3340 skipto 10000 ip from any to any >>>> >>>> 10000 #other stuff >>>> >>>> in fact you could improve it further with: >>>> 1/ either going down to a netmask of 29 (8 rules per set) >>>> or >>>> 2/ instead of having count rules make them skipto >>>> so you would have: >>>> 3300 skipto 10000 ip from 10.0.0.240 to any >>>> 3301 skipto 10000 ip from 10.0.0.241 to any >>>> 3302 skipto 10000 ip from 10.0.0.242 to any >>>> 3303 skipto 10000 ip from 10.0.0.243 to any >>>> 3304 skipto 10000 ip from 10.0.0.244 to any >>>> 3305 skipto 10000 ip from 10.0.0.245 to any >>>> 3306 skipto 10000 ip from 10.0.0.246 to any >>>> 3307 skipto 10000 ip from 10.0.0.247 to any >>>> 3308 skipto 10000 ip from 10.0.0.248 to any >>>> 3309 skipto 10000 ip from 10.0.0.249 to any >>>> 3310 skipto 10000 ip from 10.0.0.240 to any >>>> 3311 skipto 10000 ip from 10.0.0.241 to any >>>> 3312 skipto 10000 ip from 10.0.0.242 to any >>>> 3313 skipto 10000 ip from 10.0.0.243 to any >>>> 3314 skipto 10000 ip from 10.0.0.244 to any >>>> 3315 skipto 10000 ip from 10.0.0.245 to any >>>> >>>> thus on average, a packet would traverse half the rules (8). >>>> >>>> 3/ both the above so on average they would traverse 4 rules plus >>>> one extra skipto. >>>> >>>> you should be able to do the above in a script. >>>> I'd love to see it.. >>>> >>>> (you can also do skipto tablearg in -current (maybe 7.2 too) >>>> which may also be good.. (or not)) >>>> >>>> >>>> julian >>>> >>>> >>>> >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>>> >>>> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >>