From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 27 06:50:05 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A5DD1065671 for ; Thu, 27 Mar 2008 06:50:05 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 25D688FC24 for ; Thu, 27 Mar 2008 06:50:05 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1Jelw2-00076q-K8 for freebsd-ipfw@freebsd.org; Thu, 27 Mar 2008 06:50:02 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 27 Mar 2008 06:50:02 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 27 Mar 2008 06:50:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Vadim Goncharov Followup-To: gmane.os.freebsd.devel.ipfw Date: Thu, 27 Mar 2008 06:46:54 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 68 Message-ID: References: <47E79636.1000909@FreeBSD.org> <47E7EAA8.7020101@elischer.org> <47EA8860.3060709@elischer.org> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Julian Elischer User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Cc: freebsd-hackers@freebsd.org Subject: Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2008 06:50:05 -0000 Hi Julian Elischer! On Wed, 26 Mar 2008 10:31:12 -0700; Julian Elischer wrote about 'Re: [HEADS UP!] IPFW Ideas: possible SoC 2008 candidate': >>> here are some of my ideas for ipfw changes: >> >>> 1/ redo locking so that packets do not have to get locks on the >>> structure... I have several ideas on this >> >> Currently the main need for locking arises for rule byte/packet counters. The >> easiest short-term solution > The main need for locking is that the rules can be changed while a > processor is traversing the rule set. Oh, I haven't finished the letter. I wanted to say that easiest short-term solution would be splitting main ruleset lock into 2 locks: one for ruleset and one for counters, and wrap the only "f->*cnt +=" with that locks. >>> 2/ allow separate firewalls to be used at different parts of the >>> network stack (i.e allow multiple taboe sto co-exist) > there are many places that ipfw is currently callable from. > ip_input(), ip_output(), ether_demux(), if_brige, ether_output() > it would be interesting tobe able to have differnt firewalls in these > places (possibly per interface) so that state (e.g. keep_state) > can be kept seprately for one place then from another. > for example you may not want the result of 'keep state' on an > external interface to necessarily affect what happens to > packets from the same session when viewed traversing an internal > interface. > Currently on my more complex ipfw rule sets I break the rule sets out > so that packets in different places traverse different rules > but it would be nice to have it explicitly supported. Good. That should be added to proposal in part of creation of dynamic rules in any state: by default all-shared dynamic rules should be used (to preserve POLA), and an option in rule can be specified for a specific pass/layer. >> Umm, could you explain it a little?.. >> >>> 3/ possibly keeping per CPU stats.. >> >> How that would be represented to user? > it wouldn't.. you'd add them together before presenting them. > but every time a packet changes a counter that is shared, there is a > chance that it is being altered by another processor, so if you have > fine grained locking in ipfw, you really should use atomic adds, > which are slow, or accept possibl collisions (which might be ok) > but still cause a lot of cross cpu TLB flushing. Looked at the code... oh... I was wrong above with splitting for two locks into second for counters. It merely doen't exist and counters can get corrupted just now :-) The idea to keep separate per-CPU counters *could* be just reasonable, but as O_COUNTERLIMIT is likely to be introduced, it will need to access to already combined values, which now can be just for every packet, thus invalidating whole idea. The possible solution can again lie in ruleset compiled to single area of opcodes rather than linked list. In this case counters can be made a separate from opcodes array of int64's which will be contiguous and much smaller than current opcodes/counters mix, so chances for cache misses/flushes will be much smaller too. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]