From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 24 15:35:05 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4F02106564A for ; Fri, 24 Apr 2009 15:35:05 +0000 (UTC) (envelope-from ddg@yan.com.br) Received: from mail.mastercabo.com.br (mail.mastercabo.com.br [189.91.0.40]) by mx1.freebsd.org (Postfix) with SMTP id EB2AB8FC14 for ; Fri, 24 Apr 2009 15:35:04 +0000 (UTC) (envelope-from ddg@yan.com.br) Received: (qmail 14367 invoked by uid 1008); 24 Apr 2009 15:35:03 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-unknown (2008-06-10) on srvmail1 X-Spam-Level: X-Spam-Status: No, score=-0.4 required=4.8 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.5-unknown Received: from unknown (HELO ?10.0.1.10?) (daniel@dgnetwork.com.br@200.243.216.68) by mail.mastercabo.com.br with SMTP; 24 Apr 2009 15:35:02 -0000 Message-ID: <49F1DBAE.1080205@yan.com.br> Date: Fri, 24 Apr 2009 12:33:02 -0300 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Julian Elischer References: <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org> In-Reply-To: <49F0A7DD.30206@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ddg@yan.com.br List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 15:35:06 -0000 Very good thinking, congratulations, but my need is another. The objective is a Captive Porrtal that each authentication is dynamically created a rule to ALLOW or COUNT IP authenticated, which I'm testing is what is the maximum capacity of rules supported, therefore simultaneous user. Understand ? Thanks, Daniel Julian Elischer escreveu: > Daniel Dias Gonçalves wrote: >> Hi, >> >> My system is a FreeBSD 7.1R. >> When I add rules IPFW COUNT to 254 IPS from my network, one of my >> interfaces increases the latency, causing large delays in the >> network, when I delete COUNT rules, everything returns to normal, >> which can be ? >> >> My script: > > of course adding 512 rules, *all of which hav eto be evaluated* will > add latency. > > you have several ways to improve this situation. > > 1/ use a differnet tool. > By using the netgraph netflow module you can get > accunting information that may be more useful and less impactful. > > 2/ you could make your rules smarter.. > > use skipto rules to make the average packet traverse less rules.. > > off the top of my head.. (not tested..) > > Assuming you have machines 10.0.0.1-10.0.0.254.... > the rules below have an average packet traversing 19 rules and not 256 > for teh SYN packet and 2 rules for others.. > you may not be able to do the keep state trick if you use state for > other stuff but in that case worst case will still be 19 rules. > > 2 check-state > 5 skipto 10000 ip from not 10.0.0.0/24 to any > 10 skipto 2020 ip from not 10.0.0.0/25 to any # 0-128 > 20 skipto 1030 ip from not 10.0.0.0/26 to any # 0-64 > 30 skipto 240 ip from not 10.0.0.0/27 to any # 0-32 > 40 skipto 100 ip from not 10.0.0.0/28 to any # 0-16 > [16 count rules for 0-15] > 80 skipto 10000 ip from any to any > 100 [16 count rules for 16-31] keep-state > 140 skipto 10000 ip from any to any > 240 skipto 300 ip from not 10.0.0.32/28 > [16 rules for 32-47] keep-state > 280 skipto 10000 ip from any to any > 300 [16 count rules for 48-63] keep-state > 340 skipto 10000 ip from any to any > 1030 skipto 1240 ip from not 10.0.0.64/27 to any > 1040 skipto 1100 ip from not 10.0.0.64/28 to any > [16 count rules for 64-79] keep-state > 1080 skipto 10000 ip from any to any > 1100 [16 rules for 80-95] keep-state > 1140 skipto 10000 ip from any to any > 1240 skipto 1300 ip from not 10.0.0.96/28 to any > [16 count rules for 96-111] keep-state > 1280 skipto 10000 ip from any to any > 1300 [16 rules for 112-127] keep-state > 1340 skipto 10000 ip from any to any > 2020 skipto 3030 ip from not 10.0.0.128/26 to any > 2030 skipto 2240 ip from not 10.0.0.128/28 to any > [16 count rules for 128-143] keep-state > 2080 skipto 10000 ip from any to any > 2100 [16 rules for 144-159] keep-state > 2140 skipto 10000 ip from any to any > 2240 skipto 2300 ip from not 10.0.0.32/28 to any > [16 count rules for 160-175] keep-state > 2280 skipto 10000 ip from any to any > 2300 [16 count rules for 176-191] keep-state > 2340 skipto 10000 ip from any to any > 3030 skipto 3240 ip from not 10.0.0.192/27 to any > 3040 skipto 3100 ip from not 10.0.0.192/28 to any > [16 count rules for 192-207] keep-state > 3080 skipto 10000 ip from any to any > 3100 [16 rules for 208-223] keep-state > 3240 skipto 10000 ip from any to any > 3240 skipto 3300 ip from not 10.0.0.224/28 to any > [16 count rules for 224-239] keep-state > 3280 skipto 10000 ip from any to any > 3300 [16 count rules for 240-255] keep-state > 3340 skipto 10000 ip from any to any > > 10000 #other stuff > > in fact you could improve it further with: > 1/ either going down to a netmask of 29 (8 rules per set) > or > 2/ instead of having count rules make them skipto > so you would have: > 3300 skipto 10000 ip from 10.0.0.240 to any > 3301 skipto 10000 ip from 10.0.0.241 to any > 3302 skipto 10000 ip from 10.0.0.242 to any > 3303 skipto 10000 ip from 10.0.0.243 to any > 3304 skipto 10000 ip from 10.0.0.244 to any > 3305 skipto 10000 ip from 10.0.0.245 to any > 3306 skipto 10000 ip from 10.0.0.246 to any > 3307 skipto 10000 ip from 10.0.0.247 to any > 3308 skipto 10000 ip from 10.0.0.248 to any > 3309 skipto 10000 ip from 10.0.0.249 to any > 3310 skipto 10000 ip from 10.0.0.240 to any > 3311 skipto 10000 ip from 10.0.0.241 to any > 3312 skipto 10000 ip from 10.0.0.242 to any > 3313 skipto 10000 ip from 10.0.0.243 to any > 3314 skipto 10000 ip from 10.0.0.244 to any > 3315 skipto 10000 ip from 10.0.0.245 to any > > thus on average, a packet would traverse half the rules (8). > > 3/ both the above so on average they would traverse 4 rules plus one > extra skipto. > > you should be able to do the above in a script. > I'd love to see it.. > > (you can also do skipto tablearg in -current (maybe 7.2 too) > which may also be good.. (or not)) > > > julian > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >