From owner-freebsd-net@FreeBSD.ORG Thu Apr 23 17:39:43 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 478541065674 for ; Thu, 23 Apr 2009 17:39:43 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outA.internet-mail-service.net (outa.internet-mail-service.net [216.240.47.224]) by mx1.freebsd.org (Postfix) with ESMTP id 2BC208FC17 for ; Thu, 23 Apr 2009 17:39:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 17A501181B6; Thu, 23 Apr 2009 10:39:43 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 278CC2D61A0; Thu, 23 Apr 2009 10:39:42 -0700 (PDT) Message-ID: <49F0A7DD.30206@elischer.org> Date: Thu, 23 Apr 2009 10:39:41 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: ddg@yan.com.br References: <49F06985.1000303@yan.com.br> In-Reply-To: <49F06985.1000303@yan.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Apr 2009 17:39:43 -0000 Daniel Dias Gonçalves wrote: > Hi, > > My system is a FreeBSD 7.1R. > When I add rules IPFW COUNT to 254 IPS from my network, one of my > interfaces increases the latency, causing large delays in the network, > when I delete COUNT rules, everything returns to normal, which can be ? > > My script: of course adding 512 rules, *all of which hav eto be evaluated* will add latency. you have several ways to improve this situation. 1/ use a differnet tool. By using the netgraph netflow module you can get accunting information that may be more useful and less impactful. 2/ you could make your rules smarter.. use skipto rules to make the average packet traverse less rules.. off the top of my head.. (not tested..) Assuming you have machines 10.0.0.1-10.0.0.254.... the rules below have an average packet traversing 19 rules and not 256 for teh SYN packet and 2 rules for others.. you may not be able to do the keep state trick if you use state for other stuff but in that case worst case will still be 19 rules. 2 check-state 5 skipto 10000 ip from not 10.0.0.0/24 to any 10 skipto 2020 ip from not 10.0.0.0/25 to any # 0-128 20 skipto 1030 ip from not 10.0.0.0/26 to any # 0-64 30 skipto 240 ip from not 10.0.0.0/27 to any # 0-32 40 skipto 100 ip from not 10.0.0.0/28 to any # 0-16 [16 count rules for 0-15] 80 skipto 10000 ip from any to any 100 [16 count rules for 16-31] keep-state 140 skipto 10000 ip from any to any 240 skipto 300 ip from not 10.0.0.32/28 [16 rules for 32-47] keep-state 280 skipto 10000 ip from any to any 300 [16 count rules for 48-63] keep-state 340 skipto 10000 ip from any to any 1030 skipto 1240 ip from not 10.0.0.64/27 to any 1040 skipto 1100 ip from not 10.0.0.64/28 to any [16 count rules for 64-79] keep-state 1080 skipto 10000 ip from any to any 1100 [16 rules for 80-95] keep-state 1140 skipto 10000 ip from any to any 1240 skipto 1300 ip from not 10.0.0.96/28 to any [16 count rules for 96-111] keep-state 1280 skipto 10000 ip from any to any 1300 [16 rules for 112-127] keep-state 1340 skipto 10000 ip from any to any 2020 skipto 3030 ip from not 10.0.0.128/26 to any 2030 skipto 2240 ip from not 10.0.0.128/28 to any [16 count rules for 128-143] keep-state 2080 skipto 10000 ip from any to any 2100 [16 rules for 144-159] keep-state 2140 skipto 10000 ip from any to any 2240 skipto 2300 ip from not 10.0.0.32/28 to any [16 count rules for 160-175] keep-state 2280 skipto 10000 ip from any to any 2300 [16 count rules for 176-191] keep-state 2340 skipto 10000 ip from any to any 3030 skipto 3240 ip from not 10.0.0.192/27 to any 3040 skipto 3100 ip from not 10.0.0.192/28 to any [16 count rules for 192-207] keep-state 3080 skipto 10000 ip from any to any 3100 [16 rules for 208-223] keep-state 3240 skipto 10000 ip from any to any 3240 skipto 3300 ip from not 10.0.0.224/28 to any [16 count rules for 224-239] keep-state 3280 skipto 10000 ip from any to any 3300 [16 count rules for 240-255] keep-state 3340 skipto 10000 ip from any to any 10000 #other stuff in fact you could improve it further with: 1/ either going down to a netmask of 29 (8 rules per set) or 2/ instead of having count rules make them skipto so you would have: 3300 skipto 10000 ip from 10.0.0.240 to any 3301 skipto 10000 ip from 10.0.0.241 to any 3302 skipto 10000 ip from 10.0.0.242 to any 3303 skipto 10000 ip from 10.0.0.243 to any 3304 skipto 10000 ip from 10.0.0.244 to any 3305 skipto 10000 ip from 10.0.0.245 to any 3306 skipto 10000 ip from 10.0.0.246 to any 3307 skipto 10000 ip from 10.0.0.247 to any 3308 skipto 10000 ip from 10.0.0.248 to any 3309 skipto 10000 ip from 10.0.0.249 to any 3310 skipto 10000 ip from 10.0.0.240 to any 3311 skipto 10000 ip from 10.0.0.241 to any 3312 skipto 10000 ip from 10.0.0.242 to any 3313 skipto 10000 ip from 10.0.0.243 to any 3314 skipto 10000 ip from 10.0.0.244 to any 3315 skipto 10000 ip from 10.0.0.245 to any thus on average, a packet would traverse half the rules (8). 3/ both the above so on average they would traverse 4 rules plus one extra skipto. you should be able to do the above in a script. I'd love to see it.. (you can also do skipto tablearg in -current (maybe 7.2 too) which may also be good.. (or not)) julian