Date: Wed, 19 Sep 2001 19:39:13 +0200 (CEST) From: Leif Neland <leifn@neland.dk> To: "Marc G. Fournier" <scrappy@hub.org> Cc: <freebsd-net@freebsd.org> Subject: Re: ipfw problems ... Message-ID: <20010919190035.S34253-100000@arnold.neland.dk> In-Reply-To: <20010919075409.G30377-100000@mail1.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Third, take into account that since ipfw takes 'first matching rule > > wins' approach, you will get performance boost by moving more > > frequently used and more general rules "up" in the ruleset. For > > example, if you move the rule from position 700 to 200 packet will be > > matched only against 200 rules instead of 700. > > Thought about, but not possible ... unless I'm mis-understanding something > ... these rules are the exceptions ... "if none of these b-class networks > isn't matched, *then* shape the bandwidth for anything not in there" ... > Is the machine dying when *adding* the rules or when *using* the rules? If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1" you will have divided your rules, so networks from 0.0.0.0 to 127.255.255.255 will be handled by half of the rules, and the rest by the other half. So instead of traversing 700 rules, an unmatched packet will only traverse 350. Perhaps you could write a (perl?)script, which you feed a list of all the networks (B's?) and generates the proper rules. You could post that as a challenge to your local group of nerds, if you can find them... Also remember that the mask does not need to be "without holes", a mask of 255.127.255.0 is ok. But I guess you must either be a computer or autistic to be able to spot those masks... Another idea: is the routing mechanism better to sort by ip than ipfw? If so, you could route the expensive traffic to the shaper-machine. On top of that: is the routing information available from your uplinks? Perhaps you could get BGP or OSPF-routing information, saving you the trouble of maintaining the table. Also, what happens if you send "expensive" packets to the free uplink? Could that be used to having two default gateways with different metric? Or can this only shift the entire stream between the two gateways? Or you could patch ipfw to be able to use a hash-db :-) Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919190035.S34253-100000>