Date: Fri, 24 Apr 2009 19:58:12 +0300 From: "Anatoliy.Poloz" <Anatoliy.Poloz@onetelecom.od.ua> To: Bill Moran <wmoran@collaborativefusion.com> Cc: freebsd-ipfw@freebsd.org, Julian Elischer <julian@elischer.org>, ddg@yan.com.br, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE Message-ID: <49F1EFA4.7000107@onetelecom.od.ua> In-Reply-To: <20090424124202.951a82e1.wmoran@collaborativefusion.com> References: <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org> <49F1DBAE.1080205@yan.com.br> <20090424124202.951a82e1.wmoran@collaborativefusion.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Moran wrote:
> In response to Daniel Dias Gonçalves <ddg@yan.com.br>:
>
>> Very good thinking, congratulations, but my need is another.
>> The objective is a Captive Porrtal that each authentication is
>> dynamically created a rule to ALLOW or COUNT IP authenticated, which I'm
>> testing is what is the maximum capacity of rules supported, therefore
>> simultaneous user.
>>
>> Understand ?
>
> If you're only doing allow, then you'd be better off using a table,
> which has much better performance than a bunch of separate rules.
>
> If you're counting packets, I don't know if that approach will work
> or not.
>
if u need to count ip traffic for all clients u can use sipmple and more
performance rule set, like this one:
LOCAL_NET=192.168.0.0/24
ipfw pipe 100 config bw 0 mask src-ip 0xffffffff
ipfw pipe 100 config bw 0 mask dst-ip 0xffffffff
ipfw add 100 pipe 100 ip from ${LOCAL_NET} to any out
ipfw add 200 pipe 200 ip from any to ${LOCAL_NET} in
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F1EFA4.7000107>