From owner-freebsd-net@freebsd.org  Sat Aug 24 20:44:25 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7FFBCAB8E
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sat, 24 Aug 2019 20:44:25 +0000 (UTC) (envelope-from vit@otcnet.ru)
Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 46G9HD5LDCz48PF
 for <freebsd-net@freebsd.org>; Sat, 24 Aug 2019 20:44:24 +0000 (UTC)
 (envelope-from vit@otcnet.ru)
Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145])
 by mail.otcnet.ru (Postfix) with ESMTPSA id 97531899FA;
 Sat, 24 Aug 2019 23:44:22 +0300 (MSK)
Subject: Re: finding optimal ipfw strategy
To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
References: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
 <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net>
 <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net>
From: Victor Gamov <vit@otcnet.ru>
Organization: OTCnet
Message-ID: <b9db2373-1c74-349a-830c-43cbf6a3420f@otcnet.ru>
Date: Sat, 24 Aug 2019 23:44:21 +0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:60.0)
 Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 46G9HD5LDCz48PF
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as
 permitted sender) smtp.mailfrom=vit@otcnet.ru
X-Spamd-Result: default: False [-2.56 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.990,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru:c];
 NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[otcnet.ru]; HAS_ORG_HEADER(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_HAM_SHORT(-0.37)[-0.372,0]; RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(0.00)[country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Aug 2019 20:44:25 -0000

Eugene

Many thanks for your reply!

I need to read more about tablearg and then modify my current production 
rules step by step.

Thank you again!


On 24/08/2019 23:11, Eugene Grosbein wrote:
> 25.08.2019 2:34, Eugene Grosbein wrote:
> 
>> Also, use table arguments and not only table values, do not ignore their existence:
>>
>> ipfw table $Mcast1_iface_out add vlan20 $mcast11
>> ipfw table $Mcast1_iface_out add vlan20 $mcast12
>> ipfw table $Mcast1_iface_out add vlan20 $mcast13
>> ipfw add 25000 allow udp from IP1 to tablearg out xmit "table($Mcast1_iface_out)"
>>
>> Note there is one single checking ipfw rules for all used pairs ($Mcast1_iface_out, $mcastXX)
>> and this time it is not micro-optimization but very important one when you have plenty of mcastXX.
> 
> I have to correct myself: ipfw table cannot contain multiple values differing with arguments only,
> so we should rewrite commands this way: first table contains just list of used multicast destination IPs:
> 
> Mcast_addr_out=1
> ipfw table $Mcast_addr_out create type addr
> ipfw table $Mcast_addr_out add $mcast11 25012 # use range of rules 25012-49999
> ipfw table $Mcast_addr_out add $mcast12 25014 # increment rule number by 2
> ipfw table $Mcast_addr_out add $mcast13 25016
> 
> And you have multiple tables for list of interfaces, one table per multicast destination:
> 
> Mcast1_iface_out=2
> ipfw table $Mcast1_iface_out create type iface
> ipfw table $Mcast1_iface_out add vlan20
> ipfw table $Mcast1_iface_out add vlan22
> ipfw table $Mcast1_iface_out add vlan39
> 
> Then you start filtering by splitting traffic by destination IP that is most efficient:
> 
> ipfw add 25000 skipto tablearg from $IP1 to "table($Mcast_addr_out)"
> ipfw add 25010 deny udp from $your_multicast_range to any
> ipfw add 25011 skipto 50000 ip from any to any # past this set of checks
> 
> Only traffic destined for specific IP hits the rule checking for outgoing interface:
> 
> ipfw add 25012 allow udp from any to any out xmit "table($Mcast1_iface_out)"
> ipfw add 25013 deny udp from any to any
> 
> ipfw add 25014 allow udp from any to any out xmit "table($Mcast2_iface_out)"
> ipfw add 25015 deny udp from any to any
> 
> And so on.


-- 
CU,
Victor Gamov