From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 26 18:29:04 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62B101065773 for ; Wed, 26 Oct 2011 18:29:04 +0000 (UTC) (envelope-from fodillemlinkarim@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 17C338FC16 for ; Wed, 26 Oct 2011 18:29:03 +0000 (UTC) Received: by vws11 with SMTP id 11so2610020vws.13 for ; Wed, 26 Oct 2011 11:29:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=o2hb1+oKdRRPo+jzP3IYu9Iwy4zn4wubRYiZNCTKhQ4=; b=djcBdMYLCR6BwS7eMck3IFQV/Odbm9UNX3UAEEhgohrugDyeSvpa7SJc2yIXnblNM7 9fCahslHe7iuVeYtGFtnh4og0L3HqE1rHzCya0h+af9smw9XfMK9meCP1CiItBEnZpFS jfKWbPghjqPSebFSIzmOUDUfdzTRiR1cI+YeQ= Received: by 10.52.30.42 with SMTP id p10mr119616vdh.127.1319653743242; Wed, 26 Oct 2011 11:29:03 -0700 (PDT) Received: from [192.168.1.71] ([208.85.112.218]) by mx.google.com with ESMTPS id p2sm237638vdi.22.2011.10.26.11.29.01 (version=SSLv3 cipher=OTHER); Wed, 26 Oct 2011 11:29:02 -0700 (PDT) Message-ID: <4EA85168.5020103@gmail.com> Date: Wed, 26 Oct 2011 14:28:56 -0400 From: Karim User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4EA6D78F.6010607@gmail.com> <4EA73BAB.70607@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw rule processing performances X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2011 18:29:04 -0000 On 11-10-25 11:30 PM, Michael Sierchio wrote: > On Tue, Oct 25, 2011 at 6:43 PM, Julian Elischer wrote: > >> I find that the structure of teh ruleset has a huge affect on the cpu usage. >> >> for example I immediately split incoming and outgoing packets apart and send >> them to different groups of rules. >> I also have different groups of rules for internal and external rules. >> so my rulesets usually start with: >> >> skipto 1000 all from any to any in recv ${OUTSIDE_INTERFACE} >> skipto 2000 all from any to any in recv ${INSIDE_INTERFACE} >> skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE} >> skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE} >> allow all from any to any via lo0 >> drop all from any to any >> >> I also try use tables whenever possible. > I've found the same to be true, and use a scheme similar to what > Julian describes - I have rules grouped based on interface and > direction. Having larger tables and fewer table lookups is faster, in > my experience - such that I have a big block list (~20,000 nets) and a > small whitelist (~20 nets) ... > > - M > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Hi, Thanks to everyone who contributed I will try to digest all the information and see how I can improve my ruleset. Couple of points I've identified so far: 1) As Luigi's article points out route lookups are expensive due to locking (I am using verrervpath ...) 2) ipfw_nat performance impact is an unknown at the moment (?) 3) Using mbuf tags (IPFW_TAG) is costly (so is ALTQ due to pf_tags and FORWARD_IP due to m_tag). In other words policy based routing is costly. 4) Its preferable to split incoming and outgoing packets apart as early as possible in the ruleset Anything else I'm missing? Regards, Karim.