Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Mar 2012 20:21:26 +0100
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        net@freebsd.org
Subject:   userspace version of ipfw kernel module
Message-ID:  <20120302192126.GA46358@onelab2.iet.unipi.it>

next in thread | raw e-mail | index | archive | help
I have written some glue code that lets you build a userspace version
of the kernel-side of ipfw (and dummynet), for the following purposes:

1. performance testing. You can run the ipfw_chk() code in a tight loop
   and actually measure its runtime, instead of being dependent
   on input traffic and device drivers and other overheads

2. (eventually) build userspace versions of the firewall on top of
   netmap or other accelerated I/O frameworks.

The tarball is at
	http://info.iet.unipi.it/~luigi/netmap/20120302-ipfw-user.tgz

The client side (ipfw/ipfw) talks to the former-kernel side (dummynet/ipfw)
via a tcp socket (localhost:5555) so you can inject rules etc.

To start a fake infinite traffic source do a
	telnet localhost 5556
and press some chars before aborting the connection

Then you can still check how fast the filter processes rules
by runinng something like this

	sh -c "while true; ipfw/ipfw show; ipfw/ipfw zero; sleep 1; done"

I believe a similar approach could be useful for 'pf' too.
And the glue code is probably easy to recycle -- in the tarball,
sbin/ipfw and sys/netinet/ipfw are identical (except perhaps
for a few lines) to the version in head.

enjoy
luigi




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120302192126.GA46358>