From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 28 03:40:49 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 433161065670; Tue, 28 Apr 2009 03:40:49 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-qy0-f105.google.com (mail-qy0-f105.google.com [209.85.221.105]) by mx1.freebsd.org (Postfix) with ESMTP id D62F68FC19; Tue, 28 Apr 2009 03:40:48 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by qyk3 with SMTP id 3so723256qyk.3 for ; Mon, 27 Apr 2009 20:40:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=U1Taw6rg38DV4UiX+yKbevTRWu+NTeKOJ4UOE4M5Qzw=; b=QkaDm6qR6puuaxymm+Emgedr7DuxD+twrtxpDP9oOkfWWuHjMY3HeEhp3s0Mxif9JK l6dmnXkWWitAlO11wCuCmF56nJYW4MUytDR9GHhnCwUh1mBvKEDpbHIPncpuw6rZv9ww anCdhuOkfTmpJwhEiSfH0bFs0a0xzNVF+sQlA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=RKGve2mLzD2KFK13vx7y6GtkF3+pAdQWFz4LXxJ4Uo2kFRhMrrCSEnFx/Ir6nB7quJ 6hYxxNdxQt3DWAcgKthHgapkwUD5y4EHkSSCa7ttnDACWZjZSd1RBd4BoarXpCtpAbHl /A33g9Ql7dZwpQA9eA2CyWasJMXCXEra1/jlM= MIME-Version: 1.0 Sender: adrian.chadd@gmail.com Received: by 10.229.96.1 with SMTP id f1mr3346976qcn.103.1240890048184; Mon, 27 Apr 2009 20:40:48 -0700 (PDT) In-Reply-To: <49F5DBB3.6030500@yan.com.br> References: <49F06985.1000303@yan.com.br> <49F5DBB3.6030500@yan.com.br> Date: Tue, 28 Apr 2009 11:40:48 +0800 X-Google-Sender-Auth: 125868ae51dbce0c Message-ID: From: Adrian Chadd To: ddg@yan.com.br Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Apr 2009 03:40:49 -0000 You may want to investigate using pf; i'm not sure whether they handle this better. Me, I'd investigate writing a "tree" ipfw rule type. Ie, instead of having a list of rules, all evaluated one at a time, I'd create a rule implementing a subrule match on ip/netmask with some kind of action (allow, deny, count, pipe, etc) rather than having it all be evaluated O(n) style. 2c, Adrian 2009/4/28 Daniel Dias Gon=E7alves : > Going to another example. > If I wanted that each authentication (username and password) in captive > portal, set up rules limiting the speed of the user's IP, as I do? I can > create two rules for the in / out for each user associated with a pipe? W= hen > simulating this with a script adding hundreds of rules, the latency also > increases, as resolve this ? > > Adrian Chadd escreveu: >> >> You'd almost certainly be better off hacking up an extension to ipfw >> which lets you count a /24 in one rule. >> >> As in, the count rule would match on the subnet/netmask, have 256 32 >> (or 64 bit) integers allocated to record traffic in, and then do an >> O(1) operation using the last octet of the v4 address to map it into >> this 256 slot array to update counters for. >> >> It'd require a little tool hackery to extend ipfw in userland/kernel >> space to do it but it would work and be (very almost) just as fast as >> a single rule. >> >> 2c, >> >> >> >> Adrian >> >> 2009/4/23 Daniel Dias Gon=E7alves : >> >>> >>> Hi, >>> >>> My system is a FreeBSD 7.1R. >>> When I add rules IPFW COUNT to 254 IPS from my network, one of my >>> interfaces >>> increases the latency, causing large delays in the network, when I dele= te >>> COUNT rules, everything returns to normal, which can be ? >>> >>> My script: >>> >>> ipcount.php >>> -- CUT -- >>> >> $c=3D0; >>> $a=3D50100; >>> for($x=3D0;$x<=3D0;$x++) { >>> =A0 =A0 =A0for($y=3D1;$y<=3D254;$y++) { >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$ip =3D "192.168.$x.$y"; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0system("/sbin/ipfw -q add $a count { tcp or = udp } from any >>> to >>> $ip/32"); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0system("/sbin/ipfw -q add $a count { tcp or = udp } from >>> $ip/32 >>> to any"); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0#system("/sbin/ipfw delete $a"); >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$c++; >>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$a++; >>> =A0 =A0 =A0} >>> } >>> echo "\n\nTotal: $c\n"; >>> ?> >>> -- CUT -- >>> >>> net.inet.ip.fw.dyn_keepalive: 1 >>> net.inet.ip.fw.dyn_short_lifetime: 5 >>> net.inet.ip.fw.dyn_udp_lifetime: 10 >>> net.inet.ip.fw.dyn_rst_lifetime: 1 >>> net.inet.ip.fw.dyn_fin_lifetime: 1 >>> net.inet.ip.fw.dyn_syn_lifetime: 20 >>> net.inet.ip.fw.dyn_ack_lifetime: 300 >>> net.inet.ip.fw.static_count: 262 >>> net.inet.ip.fw.dyn_max: 10000 >>> net.inet.ip.fw.dyn_count: 0 >>> net.inet.ip.fw.curr_dyn_buckets: 256 >>> net.inet.ip.fw.dyn_buckets: 10000 >>> net.inet.ip.fw.default_rule: 65535 >>> net.inet.ip.fw.verbose_limit: 0 >>> net.inet.ip.fw.verbose: 1 >>> net.inet.ip.fw.debug: 0 >>> net.inet.ip.fw.one_pass: 1 >>> net.inet.ip.fw.autoinc_step: 100 >>> net.inet.ip.fw.enable: 1 >>> net.link.ether.ipfw: 1 >>> net.link.bridge.ipfw: 0 >>> net.link.bridge.ipfw_arp: 0 >>> >>> Thanks, >>> >>> Daniel >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >