From owner-freebsd-questions Sun Mar 19 4:56:55 2000 Delivered-To: freebsd-questions@freebsd.org Received: from nscache2.x-treme.gr (mail1.x-treme.gr [212.120.196.23]) by hub.freebsd.org (Postfix) with ESMTP id 3081B37B5BA for ; Sun, 19 Mar 2000 04:56:49 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat16.x-treme.gr [212.120.197.208]) by nscache2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id OAA22111; Sun, 19 Mar 2000 14:56:39 +0200 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id OAA67066; Sun, 19 Mar 2000 14:33:43 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 19 Mar 2000 14:33:42 +0200 From: Giorgos Keramidas To: Troy Settle Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW Pipes / dummy net Message-ID: <20000319143342.C66632@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from troy@picus.com on Sat, Mar 18, 2000 at 01:39:04PM -0500 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 18, 2000 at 01:39:04PM -0500, Troy Settle wrote: > > What is the practical limit on the number of pipes that FreeBSD's IPFW can > handle? Dozens? Hundreds? Thousands? Tens of thousands? The last rule that you can give a number to with ipfw is 65535. When I tried using 70,000 as the number of a rule this afternoon, as shown in: ipfw add 70000 allow ip from any to any I got a rule with number 4464. Now this is a strange number of rule to get from 70000, but if one sees the two numbers in hex, it's obvious why it was done so. The number 70000 = 0x11170, when AND'ed with a 16-bit mask, 0xffff, gives 0x1170 = 4464 :) This means that you can only use a 16-bit rule number for ipfw. > The application I have in mind, is setting up all our web hosting / > colocations behind a FreeBSD box, and filter everyone through IPFW to > control and monitor bandwidth usage. Bearing in mind that rules in ipfw can have 16-bit numbers assigned to them, even if your ipfw rules are ALL sending data through pipes, you can not use more than 65535 different pipes (2**16 - 1). I suspect not because ipfw would not be able to handle all of them, but just because you can't enumerate more rules than that piping data to them. Ciao, - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message