From owner-freebsd-net@freebsd.org  Tue Aug 27 21:45:56 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 22CDAC8A85
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Tue, 27 Aug 2019 21:45:56 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46J2Vq1LLKz4NmV
 for <freebsd-net@freebsd.org>; Tue, 27 Aug 2019 21:45:54 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id x7RLjldn057065
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Tue, 27 Aug 2019 21:45:50 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: vit@otcnet.ru
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id x7RLjhOv013107
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Wed, 28 Aug 2019 04:45:43 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: finding optimal ipfw strategy
To: Victor Gamov <vit@otcnet.ru>, "Andrey V. Elsukov" <bu7cher@yandex.ru>,
 freebsd-net@freebsd.org
References: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
 <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net>
 <a559d2bd-5218-f344-2e88-c00893272222@otcnet.ru>
 <ddaa55bc-1fa5-151b-258e-e3e9844802ef@yandex.ru>
 <c275f853-62a7-6bb7-d309-bf8a27d3dbae@grosbein.net>
 <f2aa4e0e-2339-d3e6-5a41-567b0c55b9e3@otcnet.ru>
 <eb249ea4-1f14-4826-d235-ed81e1c5e4d0@grosbein.net>
 <d78ccbbf-115e-d550-077c-383de805556b@otcnet.ru>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <568ed3e1-caec-3988-16a5-0feea80f1630@grosbein.net>
Date: Wed, 28 Aug 2019 04:45:36 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <d78ccbbf-115e-d550-077c-383de805556b@otcnet.ru>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,
 SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 46J2Vq1LLKz4NmV
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-4.58 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[];
 NEURAL_HAM_SHORT(-0.98)[-0.980,0];
 IP_SCORE(-1.50)[ip: (-3.73), ipnet: 2a01:4f8::/29(-1.97), asn: 24940(-1.80),
 country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 21:45:56 -0000

28.08.2019 3:59, Victor Gamov wrote:

>>> sysctl.conf
>>> =====
>>> net.link.ether.ipfw=1
>>> net.link.bridge.ipfw=1
>>> net.link.bridge.ipfw_arp=1
>>> net.link.bridge.pfil_member=1
>>>
>>> net.inet.ip.fw.verbose_limit=100
>>> net.inet.ip.fw.verbose=1
>>> =====

>> Do you really use ipfw filtering based on layer2 parameters like MAC addresses?
>> If not, you should disable net.link.ether.ipfw. If yes, you should use "layer2" keyword
>> explicily in rules filtering by ethernet headers and place these rules above others
>> and use "allow ip from any to any layer2" after L2 filtering is done,
>> so L2 packets do not go through other rules extra time.
>>
>> Do you really need to filter each bridged L3 packet twice? Once as "out xmit $bridge"
>> and once as "out xmit $brige_member"? If not, you should disable
>> net.link.bridge.ipfw and keep net.link.bridge.pfil_member=1 only.
> 
> Packets must be filtered on input VLANs (bridge members) and on output VLANs.  So net.link.bridge.pfil_member=1
>> Perhaps, you are ruining the performance with such settings making same work 3 times without real need.
>> Do you really need filtering ARP? Disable net.link.bridge.ipfw_arp if not.
> I need to drop ARP moving via bridge.  As I use many VLANs all VLAN must be isolated and only multicast must be bridged from one VLAN to others.  To block ARP following rule used:
> deny ip from any to any mac-type 0x0806 via bridge1202
> As I understand correctly I need net.link.bridge.ipfw_arp and net.link.bridge.ipfw to do it.  I'm not sure about net.link.ether.ipfw

Why do you need to filter ARP on bridge? That's unusial. VLANs are isolated by default and by definition,
unless you explicitly enable inter-vlan routing and setup your routing table.

Anyway, you can skip entire ipfw pass over a bridge because you filter its members anyway,
so just drop ARP coming from any vlan with exception of controlling one:

allow ip from any to any layer2 mac-type 0x0806 in recv $controlvlan
deny ip from any to any layer2 mac-type 0x0806 in
allow ip from any to any layer2

And then disable filtering for bridge itself altogether.
Decreasing number of passes over ipfw should be your top priority
because that's what can provide you with most benefit.
You should even rewrite your ruleset if that is needed to achieve this goal.