From owner-freebsd-net@FreeBSD.ORG Fri Apr 24 17:15:19 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F58410656DE for ; Fri, 24 Apr 2009 17:15:19 +0000 (UTC) (envelope-from Anatoliy.Poloz@onetelecom.od.ua) Received: from main.merlin.com.ua (mail.onetelecom.od.ua [91.194.72.4]) by mx1.freebsd.org (Postfix) with ESMTP id D6D788FC0C for ; Fri, 24 Apr 2009 17:15:18 +0000 (UTC) (envelope-from Anatoliy.Poloz@onetelecom.od.ua) Received: from [192.168.67.95] (t0ly [192.168.67.95]) by main.merlin.com.ua (Postmaster) with ESMTP id 8072E5DCD72; Fri, 24 Apr 2009 20:04:07 +0300 (EEST) Message-ID: <49F1EFA4.7000107@onetelecom.od.ua> Date: Fri, 24 Apr 2009 19:58:12 +0300 From: "Anatoliy.Poloz" User-Agent: Thunderbird 2.0.0.21 (X11/20090321) MIME-Version: 1.0 To: Bill Moran References: <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org> <49F1DBAE.1080205@yan.com.br> <20090424124202.951a82e1.wmoran@collaborativefusion.com> In-Reply-To: <20090424124202.951a82e1.wmoran@collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org, Julian Elischer , ddg@yan.com.br, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Anatoliy.Poloz@onetelecom.od.ua List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 17:15:20 -0000 Bill Moran wrote: > In response to Daniel Dias Gonçalves : > >> Very good thinking, congratulations, but my need is another. >> The objective is a Captive Porrtal that each authentication is >> dynamically created a rule to ALLOW or COUNT IP authenticated, which I'm >> testing is what is the maximum capacity of rules supported, therefore >> simultaneous user. >> >> Understand ? > > If you're only doing allow, then you'd be better off using a table, > which has much better performance than a bunch of separate rules. > > If you're counting packets, I don't know if that approach will work > or not. > if u need to count ip traffic for all clients u can use sipmple and more performance rule set, like this one: LOCAL_NET=192.168.0.0/24 ipfw pipe 100 config bw 0 mask src-ip 0xffffffff ipfw pipe 100 config bw 0 mask dst-ip 0xffffffff ipfw add 100 pipe 100 ip from ${LOCAL_NET} to any out ipfw add 200 pipe 200 ip from any to ${LOCAL_NET} in