Date: Tue, 24 Aug 2021 15:30:38 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: ipfw Table Organization Message-ID: <CAHu1Y71uhG4WdfWOb-nR=DqNgr-pMOkKBTWZBdfp8NCeQSLHRw@mail.gmail.com> In-Reply-To: <9e6cd8e2-a06e-468b-7245-d5ff13309763@tundraware.com> References: <9e6cd8e2-a06e-468b-7245-d5ff13309763@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 24, 2021 at 2:47 PM Tim Daneliuk via freebsd-questions < freebsd-questions@freebsd.org> wrote: > Is there any particular advantage - performance or otherwise - to breakin= g > up > a large ipfw table into smaller tables? > > We have a few firewalls approaching 100,000 rules for blocking addresses > and CIDR blocks. Do you really mean 100,000 firewall rules? 100,000 CIDR blocks is not a problem. You should probably consolidate CIDR blocks before adding them to a table, because it's a longest-prefix-match. > The IPS are read from separate text files in a loop > in the firewall init code, but are all written to a single table. I have a framework that collects IPs and CIDR blocks from various sources (for blocking). Two tables are used for this =E2=80=93 so I can atomically replace the tabl= e contents via table swap. None of this is done in the firewall init code, it's all done via a cronjob. I use the table arg to store an integer that says what the source was. The firewall init script only gets invoked at startup, or when rules change. This > is easy to maintain, but the concern is that we may be clobbering runtime > performance. > Did you know you can add an entire file to a table, if the lines consist of <CIDR> <Table arg> ? Empirically, this works for up to 8192 entries, so I split the file into files of that size, add them, then delete the splits. My pcengines box has CPU: AMD GX-412TC SOC (998.15-MHz K8-class CPU) *root@hearst:/usr/src 210#* ipfw table reject list | wc -l 99787 Something with decent power could easily filter 250,000 CIDR blocks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71uhG4WdfWOb-nR=DqNgr-pMOkKBTWZBdfp8NCeQSLHRw>