From owner-freebsd-net@FreeBSD.ORG Thu Apr 23 15:11:35 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45DDF1065670; Thu, 23 Apr 2009 15:11:35 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 1FC338FC14; Thu, 23 Apr 2009 15:11:34 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 23 Apr 2009 11:01:25 -0400 id 00056405.0000000049F082C5.000091CE Date: Thu, 23 Apr 2009 11:01:24 -0400 From: Bill Moran To: ddg@yan.com.br Message-Id: <20090423110124.85788142.wmoran@collaborativefusion.com> In-Reply-To: <49F06985.1000303@yan.com.br> References: <49F06985.1000303@yan.com.br> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.6.0 (GTK+ 2.14.7; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Apr 2009 15:11:35 -0000 In response to Daniel Dias Gon=E7alves : >=20 > My system is a FreeBSD 7.1R. > When I add rules IPFW COUNT to 254 IPS from my network, one of my=20 > interfaces increases the latency, causing large delays in the network,=20 > when I delete COUNT rules, everything returns to normal, which can be ? Not sure what you mean by the "which can be" part of the question. But the answer, is "of course latency increases". Did you expect that this kind of traffic tracking to be free? It's not on any operating system or other networking device in existence. It takes CPU cycles and memory to do the tracking, and flipping bits in memory takes time. Therefore, your latency will increase when you add 512 counters to your rules. It's the overhead associated with such logging. Of course, you don't mention _how_much_ latency increases. I can only assume that it's to a degree that you find unacceptable. You also don't mention what hardware you're doing this on, but I would expect that on sufficiently beefy hardware the added latency is low enough not to be a problem. However, without those details, I expect that the following answer is the best you're going to get: If you need to so such logging and the latency increase is unacceptable, then get faster hardware to do it on or concoct some method to do it out of band so that the latency doesn't slow down the connections. > My script: >=20 > ipcount.php > -- CUT -- > $c=3D0; > $a=3D50100; > for($x=3D0;$x<=3D0;$x++) { > for($y=3D1;$y<=3D254;$y++) { > $ip =3D "192.168.$x.$y"; > system("/sbin/ipfw -q add $a count { tcp or udp } from=20 > any to $ip/32"); > system("/sbin/ipfw -q add $a count { tcp or udp } from=20 > $ip/32 to any"); > #system("/sbin/ipfw delete $a"); > $c++; > $a++; > } > } > echo "\n\nTotal: $c\n"; > ?> > -- CUT -- >=20 > net.inet.ip.fw.dyn_keepalive: 1 > net.inet.ip.fw.dyn_short_lifetime: 5 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.static_count: 262 > net.inet.ip.fw.dyn_max: 10000 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_buckets: 10000 > net.inet.ip.fw.default_rule: 65535 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.debug: 0 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.enable: 1 > net.link.ether.ipfw: 1 > net.link.bridge.ipfw: 0 > net.link.bridge.ipfw_arp: 0 >=20 > Thanks, >=20 > Daniel > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=20 Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ****************************************************************