From owner-freebsd-net@freebsd.org Sat Aug 24 20:44:25 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7FFBCAB8E for ; Sat, 24 Aug 2019 20:44:25 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3]) by mx1.freebsd.org (Postfix) with ESMTP id 46G9HD5LDCz48PF for ; Sat, 24 Aug 2019 20:44:24 +0000 (UTC) (envelope-from vit@otcnet.ru) Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145]) by mail.otcnet.ru (Postfix) with ESMTPSA id 97531899FA; Sat, 24 Aug 2019 23:44:22 +0300 (MSK) Subject: Re: finding optimal ipfw strategy To: Eugene Grosbein , freebsd-net@freebsd.org References: <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net> <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net> From: Victor Gamov Organization: OTCnet Message-ID: Date: Sat, 24 Aug 2019 23:44:21 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <7ca629bd-065b-549a-37f4-cd41d18f83e3@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46G9HD5LDCz48PF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as permitted sender) smtp.mailfrom=vit@otcnet.ru X-Spamd-Result: default: False [-2.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.990,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru:c]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[otcnet.ru]; HAS_ORG_HEADER(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.37)[-0.372,0]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(0.00)[country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2019 20:44:25 -0000 Eugene Many thanks for your reply! I need to read more about tablearg and then modify my current production rules step by step. Thank you again! On 24/08/2019 23:11, Eugene Grosbein wrote: > 25.08.2019 2:34, Eugene Grosbein wrote: > >> Also, use table arguments and not only table values, do not ignore their existence: >> >> ipfw table $Mcast1_iface_out add vlan20 $mcast11 >> ipfw table $Mcast1_iface_out add vlan20 $mcast12 >> ipfw table $Mcast1_iface_out add vlan20 $mcast13 >> ipfw add 25000 allow udp from IP1 to tablearg out xmit "table($Mcast1_iface_out)" >> >> Note there is one single checking ipfw rules for all used pairs ($Mcast1_iface_out, $mcastXX) >> and this time it is not micro-optimization but very important one when you have plenty of mcastXX. > > I have to correct myself: ipfw table cannot contain multiple values differing with arguments only, > so we should rewrite commands this way: first table contains just list of used multicast destination IPs: > > Mcast_addr_out=1 > ipfw table $Mcast_addr_out create type addr > ipfw table $Mcast_addr_out add $mcast11 25012 # use range of rules 25012-49999 > ipfw table $Mcast_addr_out add $mcast12 25014 # increment rule number by 2 > ipfw table $Mcast_addr_out add $mcast13 25016 > > And you have multiple tables for list of interfaces, one table per multicast destination: > > Mcast1_iface_out=2 > ipfw table $Mcast1_iface_out create type iface > ipfw table $Mcast1_iface_out add vlan20 > ipfw table $Mcast1_iface_out add vlan22 > ipfw table $Mcast1_iface_out add vlan39 > > Then you start filtering by splitting traffic by destination IP that is most efficient: > > ipfw add 25000 skipto tablearg from $IP1 to "table($Mcast_addr_out)" > ipfw add 25010 deny udp from $your_multicast_range to any > ipfw add 25011 skipto 50000 ip from any to any # past this set of checks > > Only traffic destined for specific IP hits the rule checking for outgoing interface: > > ipfw add 25012 allow udp from any to any out xmit "table($Mcast1_iface_out)" > ipfw add 25013 deny udp from any to any > > ipfw add 25014 allow udp from any to any out xmit "table($Mcast2_iface_out)" > ipfw add 25015 deny udp from any to any > > And so on. -- CU, Victor Gamov