From owner-freebsd-net@FreeBSD.ORG Tue Aug 8 05:40:56 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F92716A4DA; Tue, 8 Aug 2006 05:40:56 +0000 (UTC) (envelope-from prvs=julian=368479a79@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4D4743D45; Tue, 8 Aug 2006 05:40:55 +0000 (GMT) (envelope-from prvs=julian=368479a79@elischer.org) Received: from unknown (HELO [192.168.2.3]) ([10.251.60.101]) by a50.ironport.com with ESMTP; 07 Aug 2006 22:40:55 -0700 Message-ID: <44D823E6.1000900@elischer.org> Date: Mon, 07 Aug 2006 22:40:54 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Andrey V. Elsukov" References: <200608051358.k75DwpYr070713@repoman.freebsd.org> <20060807092251.GS96644@FreeBSD.org> <44D774E9.4010309@elischer.org> <44D80E8D.7010709@yandex.ru> In-Reply-To: <44D80E8D.7010709@yandex.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Gleb Smirnoff , Stefan Farfeleder , net@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw2.c X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2006 05:40:56 -0000 Andrey V. Elsukov wrote: > Julian Elischer wrote: > >> great.. I have been in ipfw(2) the last week and have some sugestions >> for >> increasing its efficiency.. especially the code that times out >> dynamic rules. > > Can you explain your suggestions in detail? > I sent the following to luigi: I repeat it here.. ------------ start comment to Luigi -------------- I haven't coded it yet but we run with maybe 50,000 dynamic rules at a time. (hopefully a lot more, maybe 200,000 in the near future) We need to simplify the code that times out the rules so that it doesn't have to scan through ALL the dynamic rules every clocktick. Basically I was thinking of implementing a timing wheel representing the next "600" seconds or so. (600 slots). "now" moves around the wheel. (The size of the wheel is the size of the largest lifetime value.) (maybe with a backup wheel at 600 seconds per slot or something) Each dynamic entry has an extra linkage to allow it to be linked onto the appropriate slot. whenever you use an entry you take it out of where-ever it is and put it into it's new slot X seconds into the future. At each tick you take all the entries that have reached "now" and do whatever needs t be done on only those entries. thus at each tick you only have a small amount of work to do instead fo looking at all 50,000 entries.