From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 25 23:11:17 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33C34106566B for ; Tue, 25 Oct 2011 23:11:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id E48F88FC14 for ; Tue, 25 Oct 2011 23:11:16 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p9PMi0Y2052392 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 25 Oct 2011 15:44:03 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4EA73BAB.70607@freebsd.org> Date: Tue, 25 Oct 2011 15:43:55 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.23) Gecko/20110920 Thunderbird/3.1.15 MIME-Version: 1.0 To: Karim References: <4EA6D78F.6010607@gmail.com> In-Reply-To: <4EA6D78F.6010607@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rule processing performances X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2011 23:11:17 -0000 On 10/25/11 8:36 AM, Karim wrote: > Hi all, > > I am using ipfw with a fairly small amount of rules (~200). Most of > those are skipto rules to different blocking and pass-through > blocks. I use ipfw tags, ALTQ, nat, fwd and several deny and allow > rules and I do not use/need tables. > > What I find is around 400Mbps of traffic (~40kpps) an extremely high > amount of cpu usage related to firewall processing. > > What I would like to know is if there is an ongoing work to optimise > ipfw and/or gather ideas on how to do that. > > I realise my question has a large scope but I am not interested in > optimizing my ruleset I'd like to get a feel for how code wise the > current processing could be optimized (using multiple input TX/RX > queues for example, etc...). > > Thanks, > > Karim. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" I find that the structure of teh ruleset has a huge affect on the cpu usage. for example I immediately split incoming and outgoing packets apart and send them to different groups of rules. I also have different groups of rules for internal and external rules. so my rulesets usually start with: skipto 1000 all from any to any in recv ${OUTSIDE_INTERFACE} skipto 2000 all from any to any in recv ${INSIDE_INTERFACE} skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE} skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE} allow all from any to any via lo0 drop all from any to any I also try use tables whenever possible.