From owner-freebsd-net@FreeBSD.ORG Fri Apr 24 17:06:46 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E89081065670 for ; Fri, 24 Apr 2009 17:06:46 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: from mail-qy0-f105.google.com (mail-qy0-f105.google.com [209.85.221.105]) by mx1.freebsd.org (Postfix) with ESMTP id 8FE438FC1D for ; Fri, 24 Apr 2009 17:06:46 +0000 (UTC) (envelope-from adrian.chadd@gmail.com) Received: by qyk3 with SMTP id 3so2430505qyk.3 for ; Fri, 24 Apr 2009 10:06:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=Dms0aXVyhyq29rkfEOyttN+NXXccjrmEfnka+0/kv7I=; b=OtUp3YVEfQgPqtCuCfKprgsjIKoAVzn/4h1uRmD2+mSxIOHwB3huYGtnKnFZxJhCdU 8G3pWVRJNUkG22moEz7bemUWX5JmTjp2Ajz+/6s/uSyTK6simNx8zyY/55YFo2R4HA8d H62gnrPM+VY8XMbeJ5f+tuvAVjIFYbJUt45JQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=vqH1WU6EJtSQgiC1e7+aonJbHyMI1w22RPiLJD3FZXmY+D96L79QrPqse/24ojsjir eFzRqk1DLO4xLjpYRwRXdFfp+UlLKIwQAKTezuhWstWQB6/aLRBj7yYVoqjR2a7twKCg FtbRwf0Mjl3m+CJLJKwWnektxTl2E9vxs8ZSA= MIME-Version: 1.0 Sender: adrian.chadd@gmail.com Received: by 10.229.85.143 with SMTP id o15mr1663377qcl.1.1240592805948; Fri, 24 Apr 2009 10:06:45 -0700 (PDT) In-Reply-To: <49F06985.1000303@yan.com.br> References: <49F06985.1000303@yan.com.br> Date: Sat, 25 Apr 2009 01:06:45 +0800 X-Google-Sender-Auth: a837a73ca830f1b9 Message-ID: From: Adrian Chadd To: ddg@yan.com.br Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 17:06:47 -0000 You'd almost certainly be better off hacking up an extension to ipfw which lets you count a /24 in one rule. As in, the count rule would match on the subnet/netmask, have 256 32 (or 64 bit) integers allocated to record traffic in, and then do an O(1) operation using the last octet of the v4 address to map it into this 256 slot array to update counters for. It'd require a little tool hackery to extend ipfw in userland/kernel space to do it but it would work and be (very almost) just as fast as a single rule. 2c, Adrian 2009/4/23 Daniel Dias Gon=E7alves : > Hi, > > My system is a FreeBSD 7.1R. > When I add rules IPFW COUNT to 254 IPS from my network, one of my interfa= ces > increases the latency, causing large delays in the network, when I delete > COUNT rules, everything returns to normal, which can be ? > > My script: > > ipcount.php > -- CUT -- > $c=3D0; > $a=3D50100; > for($x=3D0;$x<=3D0;$x++) { > =A0 =A0 =A0 for($y=3D1;$y<=3D254;$y++) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 $ip =3D "192.168.$x.$y"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u= dp } from any to > $ip/32"); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u= dp } from $ip/32 > to any"); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 #system("/sbin/ipfw delete $a"); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 $c++; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 $a++; > =A0 =A0 =A0 } > } > echo "\n\nTotal: $c\n"; > ?> > -- CUT -- > > net.inet.ip.fw.dyn_keepalive: 1 > net.inet.ip.fw.dyn_short_lifetime: 5 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.static_count: 262 > net.inet.ip.fw.dyn_max: 10000 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_buckets: 10000 > net.inet.ip.fw.default_rule: 65535 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.debug: 0 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.enable: 1 > net.link.ether.ipfw: 1 > net.link.bridge.ipfw: 0 > net.link.bridge.ipfw_arp: 0 > > Thanks, > > Daniel > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >