Date: Thu, 29 Aug 2019 11:39:47 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Eugene Grosbein <eugen@grosbein.net> Cc: Victor Gamov <vit@otcnet.ru>, freebsd-net@freebsd.org Subject: Re: finding optimal ipfw strategy Message-ID: <201908291839.x7TIdlmh091176@gndrsh.dnsmgr.net> In-Reply-To: <a6cdaeb4-5692-881a-c635-118466aeee4c@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> 28.08.2019 23:58, Victor Gamov wrote:
>
> > P.S. Two questions about rules syntax optimization. What is more effective:
> > skipto tablearg udp from any to table(AllMcast_out)
> > or
> > skipto tablearg udp from any to table(AllMcast_out) out xmit vlan*
>
> Can't tell, this heavily depends on table contents and internal order of checks
> in kernel part of ipfw but general rule should still apply: less checks, better performance.
Given that the base part of the rule is identical it would
seem that the first rule should be faster as it does not have
to do the checks for "out xmit vlan*".
One of the things I do when writting a firewall is very early break
up the traffic based on which interface(s) it is coming in/out of
and do a skipto based on that, then further classify based on layers
so that I am usually only doing 1 compare as it traverse down what
is in effect a trie.
dispatch on interface(s)
dispatch on protocol (IP, ESP, OSPF, IGMP, ICMP, etc)
IP: dispatch on transport (TCP, UDP, SCTP...)
IPTCP: dispatch on setup, established..
IPTCPsetup: dispatch on ports
IPUDP: ...
I try to write my sets so that I never do the same comparison on
a packet at any point in the firewall. Ie, once your in the IPTCP
set of rules I no longer check for tcp, only check port numbers
and flags (setup, established, etc)
Does this seem like a reasonable and efficient approach?
> > I hope I can place such rule at top of ruleset and only allowed multicast packets outgoing via VLANs interfaces will hit this rule.
> >
> > and second:
> > allow udp from $src1 to { 239.1.2.55 or 239.1.2.56 }
> > or
> > allow udp from src1 to 239.1.2.0/24{55,56}
>
> Last one should me much more efficient as it just needs to perform a couple of 32-bit masking operations
> and previous one is more general (IP addresses may belong to different networks) and requires slower search.
I disagree, the first one should be 2 simple 32 bit compares,
the second one is a 32 bit AND (mask), and then 2 8 bit compares,
and actually probably actually 32 bit compares due to data type promotion.
--
Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908291839.x7TIdlmh091176>