Date: Wed, 02 Jun 2004 11:26:23 +0200 From: Andre Oppermann <andre@freebsd.org> To: "Christian S.J. Peron" <csjp@freebsd.org> Cc: ipfw@freebsd.org Subject: Re: ipfw cached ucred patch Message-ID: <40BD9D3F.7090100@freebsd.org> In-Reply-To: <20040602043537.GA42327@freefall.freebsd.org> References: <20040602043537.GA42327@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian S.J. Peron wrote: > All, > > Currently, when you have any rules which contain UID/GID > constraints, ipfw will lock the pcb hash and do a lookup > to find the pcb associated with that packet -- > One for each constraint. > > I have written a patch in attempt to minimize the impact > of PCB related lookups for these type of firewall rules. > > This patch will have the following effects on firewalls which > contain UID/GID constraints: > > o Greatly reduce the locking contention associated > with PCB lookups. > > o Increase the performance of firewall in general by making > PCB lookups O(1) rather than O(n) (where n represents > number of UID/GID constraints in the ruleset) > > It would be greatly appriciated if people who are running ipfw > rules sets containing UID/GID constraints tested this patch > and reported any success or failures. > > The patch can be downloaded from: > > http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch You can optimize it even further by directly copying the uid/gid from the ucred while you hold the INP_LOCK. There is no need to hold on to the entire ucred. It should be sufficient to do the ucred lookup only once per packet in the ipfw code. If you don't find an INPCB for the packet you'll do a negative lookup for every uid/gid rule. > It also appears that ip_output passes a reference to the PCB. > Perhaps we can hold a reference to the ucred stored in that > entry and do away with lookups on outgoing packets all-together? Yes, that would be possible but that weaves ipfw even tighter with ip_output and I'm currently converting it to go through the pfil_hooks mechanism. Pfil_hooks does not allow such additional information to be passed along directly. What you could do is to pass a m_tag with the numerical uid/gid along with locally generated packets to get the same effect. Here it would be good to co-ordinate with pf/ipfilter guys so that they can use this m_tag too. However for a first step just redo the lookup once per packet if neccessary. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40BD9D3F.7090100>