Date: Sat, 24 Aug 2019 23:44:21 +0300 From: Victor Gamov <vit@otcnet.ru> To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org Subject: Re: finding optimal ipfw strategy Message-ID: <b9db2373-1c74-349a-830c-43cbf6a3420f@otcnet.ru> In-Reply-To: <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net> References: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru> <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net> <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Many thanks for your reply! I need to read more about tablearg and then modify my current production rules step by step. Thank you again! On 24/08/2019 23:11, Eugene Grosbein wrote: > 25.08.2019 2:34, Eugene Grosbein wrote: > >> Also, use table arguments and not only table values, do not ignore their existence: >> >> ipfw table $Mcast1_iface_out add vlan20 $mcast11 >> ipfw table $Mcast1_iface_out add vlan20 $mcast12 >> ipfw table $Mcast1_iface_out add vlan20 $mcast13 >> ipfw add 25000 allow udp from IP1 to tablearg out xmit "table($Mcast1_iface_out)" >> >> Note there is one single checking ipfw rules for all used pairs ($Mcast1_iface_out, $mcastXX) >> and this time it is not micro-optimization but very important one when you have plenty of mcastXX. > > I have to correct myself: ipfw table cannot contain multiple values differing with arguments only, > so we should rewrite commands this way: first table contains just list of used multicast destination IPs: > > Mcast_addr_out=1 > ipfw table $Mcast_addr_out create type addr > ipfw table $Mcast_addr_out add $mcast11 25012 # use range of rules 25012-49999 > ipfw table $Mcast_addr_out add $mcast12 25014 # increment rule number by 2 > ipfw table $Mcast_addr_out add $mcast13 25016 > > And you have multiple tables for list of interfaces, one table per multicast destination: > > Mcast1_iface_out=2 > ipfw table $Mcast1_iface_out create type iface > ipfw table $Mcast1_iface_out add vlan20 > ipfw table $Mcast1_iface_out add vlan22 > ipfw table $Mcast1_iface_out add vlan39 > > Then you start filtering by splitting traffic by destination IP that is most efficient: > > ipfw add 25000 skipto tablearg from $IP1 to "table($Mcast_addr_out)" > ipfw add 25010 deny udp from $your_multicast_range to any > ipfw add 25011 skipto 50000 ip from any to any # past this set of checks > > Only traffic destined for specific IP hits the rule checking for outgoing interface: > > ipfw add 25012 allow udp from any to any out xmit "table($Mcast1_iface_out)" > ipfw add 25013 deny udp from any to any > > ipfw add 25014 allow udp from any to any out xmit "table($Mcast2_iface_out)" > ipfw add 25015 deny udp from any to any > > And so on. -- CU, Victor Gamov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b9db2373-1c74-349a-830c-43cbf6a3420f>