From owner-freebsd-net Wed Sep 19 10:37:59 2001 Delivered-To: freebsd-net@freebsd.org Received: from fepB.post.tele.dk (fepB.post.tele.dk [195.41.46.145]) by hub.freebsd.org (Postfix) with ESMTP id BACF037B401 for ; Wed, 19 Sep 2001 10:37:55 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepB.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010919173754.FKDR25690.fepB.post.tele.dk@arnold.neland.dk>; Wed, 19 Sep 2001 19:37:54 +0200 Received: from localhost (localhost [127.0.0.1]) by arnold.neland.dk (8.11.5/8.11.5) with ESMTP id f8JHdDO34935; Wed, 19 Sep 2001 19:39:13 +0200 (CEST) (envelope-from leifn@neland.dk) Date: Wed, 19 Sep 2001 19:39:13 +0200 (CEST) From: Leif Neland To: "Marc G. Fournier" Cc: Subject: Re: ipfw problems ... In-Reply-To: <20010919075409.G30377-100000@mail1.hub.org> Message-ID: <20010919190035.S34253-100000@arnold.neland.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Third, take into account that since ipfw takes 'first matching rule > > wins' approach, you will get performance boost by moving more > > frequently used and more general rules "up" in the ruleset. For > > example, if you move the rule from position 700 to 200 packet will be > > matched only against 200 rules instead of 700. > > Thought about, but not possible ... unless I'm mis-understanding something > ... these rules are the exceptions ... "if none of these b-class networks > isn't matched, *then* shape the bandwidth for anything not in there" ... > Is the machine dying when *adding* the rules or when *using* the rules? If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1" you will have divided your rules, so networks from 0.0.0.0 to 127.255.255.255 will be handled by half of the rules, and the rest by the other half. So instead of traversing 700 rules, an unmatched packet will only traverse 350. Perhaps you could write a (perl?)script, which you feed a list of all the networks (B's?) and generates the proper rules. You could post that as a challenge to your local group of nerds, if you can find them... Also remember that the mask does not need to be "without holes", a mask of 255.127.255.0 is ok. But I guess you must either be a computer or autistic to be able to spot those masks... Another idea: is the routing mechanism better to sort by ip than ipfw? If so, you could route the expensive traffic to the shaper-machine. On top of that: is the routing information available from your uplinks? Perhaps you could get BGP or OSPF-routing information, saving you the trouble of maintaining the table. Also, what happens if you send "expensive" packets to the free uplink? Could that be used to having two default gateways with different metric? Or can this only shift the entire stream between the two gateways? Or you could patch ipfw to be able to use a hash-db :-) Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message