From owner-freebsd-net@FreeBSD.ORG  Fri Apr 24 17:06:46 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E89081065670
	for <freebsd-net@freebsd.org>; Fri, 24 Apr 2009 17:06:46 +0000 (UTC)
	(envelope-from adrian.chadd@gmail.com)
Received: from mail-qy0-f105.google.com (mail-qy0-f105.google.com
	[209.85.221.105])
	by mx1.freebsd.org (Postfix) with ESMTP id 8FE438FC1D
	for <freebsd-net@freebsd.org>; Fri, 24 Apr 2009 17:06:46 +0000 (UTC)
	(envelope-from adrian.chadd@gmail.com)
Received: by qyk3 with SMTP id 3so2430505qyk.3
	for <multiple recipients>; Fri, 24 Apr 2009 10:06:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:sender:received:in-reply-to
	:references:date:x-google-sender-auth:message-id:subject:from:to:cc
	:content-type:content-transfer-encoding;
	bh=Dms0aXVyhyq29rkfEOyttN+NXXccjrmEfnka+0/kv7I=;
	b=OtUp3YVEfQgPqtCuCfKprgsjIKoAVzn/4h1uRmD2+mSxIOHwB3huYGtnKnFZxJhCdU
	8G3pWVRJNUkG22moEz7bemUWX5JmTjp2Ajz+/6s/uSyTK6simNx8zyY/55YFo2R4HA8d
	H62gnrPM+VY8XMbeJ5f+tuvAVjIFYbJUt45JQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	b=vqH1WU6EJtSQgiC1e7+aonJbHyMI1w22RPiLJD3FZXmY+D96L79QrPqse/24ojsjir
	eFzRqk1DLO4xLjpYRwRXdFfp+UlLKIwQAKTezuhWstWQB6/aLRBj7yYVoqjR2a7twKCg
	FtbRwf0Mjl3m+CJLJKwWnektxTl2E9vxs8ZSA=
MIME-Version: 1.0
Sender: adrian.chadd@gmail.com
Received: by 10.229.85.143 with SMTP id o15mr1663377qcl.1.1240592805948; Fri, 
	24 Apr 2009 10:06:45 -0700 (PDT)
In-Reply-To: <49F06985.1000303@yan.com.br>
References: <49F06985.1000303@yan.com.br>
Date: Sat, 25 Apr 2009 01:06:45 +0800
X-Google-Sender-Auth: a837a73ca830f1b9
Message-ID: <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com>
From: Adrian Chadd <adrian@freebsd.org>
To: ddg@yan.com.br
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org
Subject: Re: IPFW MAX RULES COUNT PERFORMANCE
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2009 17:06:47 -0000

You'd almost certainly be better off hacking up an extension to ipfw
which lets you count a /24 in one rule.

As in, the count rule would match on the subnet/netmask, have 256 32
(or 64 bit) integers allocated to record traffic in, and then do an
O(1) operation using the last octet of the v4 address to map it into
this 256 slot array to update counters for.

It'd require a little tool hackery to extend ipfw in userland/kernel
space to do it but it would work and be (very almost) just as fast as
a single rule.

2c,



Adrian

2009/4/23 Daniel Dias Gon=E7alves <ddg@yan.com.br>:
> Hi,
>
> My system is a FreeBSD 7.1R.
> When I add rules IPFW COUNT to 254 IPS from my network, one of my interfa=
ces
> increases the latency, causing large delays in the network, when I delete
> COUNT rules, everything returns to normal, which can be ?
>
> My script:
>
> ipcount.php
> -- CUT --
> <?
> $c=3D0;
> $a=3D50100;
> for($x=3D0;$x<=3D0;$x++) {
> =A0 =A0 =A0 for($y=3D1;$y<=3D254;$y++) {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $ip =3D "192.168.$x.$y";
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u=
dp } from any to
> $ip/32");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u=
dp } from $ip/32
> to any");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 #system("/sbin/ipfw delete $a");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $c++;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $a++;
> =A0 =A0 =A0 }
> }
> echo "\n\nTotal: $c\n";
> ?>
> -- CUT --
>
> net.inet.ip.fw.dyn_keepalive: 1
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.static_count: 262
> net.inet.ip.fw.dyn_max: 10000
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_buckets: 10000
> net.inet.ip.fw.default_rule: 65535
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.debug: 0
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.enable: 1
> net.link.ether.ipfw: 1
> net.link.bridge.ipfw: 0
> net.link.bridge.ipfw_arp: 0
>
> Thanks,
>
> Daniel
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>