From owner-freebsd-hackers@freebsd.org Wed Apr 27 19:21:51 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81D6FB1F846 for ; Wed, 27 Apr 2016 19:21:51 +0000 (UTC) (envelope-from zclaudio@bsd.com.br) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D80018F2 for ; Wed, 27 Apr 2016 19:21:51 +0000 (UTC) (envelope-from zclaudio@bsd.com.br) Received: by mail-wm0-x231.google.com with SMTP id g17so820086wme.0 for ; Wed, 27 Apr 2016 12:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsd.com.br; s=capeta; h=mime-version:date:message-id:subject:from:to; bh=Q8IRVzs/ZKm1BX+Xq5kZtZv9ApiKaVzDGvkZsXp7E/U=; b=MfWSDWx5pyjMDOHsYPfX0DWpfQjYTUbdbPjnVkJ8SlxhO0qoGQaFgeWZudqsXFnnNP 6nXPhJ5SyogG3kgDqFHKxEI/XmMO1k/+LbLhUZ2NCgcDlxlwEMt7zzIoXB1junIODEt4 aXHO8BedTaj72mShJxnlRdbfc/kwtkqIwcO/k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=Q8IRVzs/ZKm1BX+Xq5kZtZv9ApiKaVzDGvkZsXp7E/U=; b=RgRtHFf3EeLvi/FjHKGDXwyjN0fokGaZzOgJI8tZ/jAiOjceTj95IPKSbCLvx6fr1y UWudCcGkcRLfUDPiKuBK8ZtbqNzN4uHQsboilJhjAU1w1e6w8Z2ndOGCNDm70BI/bugC ehLAhWOL62nGtCXmKrLQl4rX2HaWpAeugsCYNC0YkQjKD4ltwgy5baS1ckSHl6FuHwzb N46i17ujKvxO5ApDXtIenuiwe7g18kXWhSLSL+M6jJ0VQARefQ5i0zkPEIKCfVITrkxq 4CfB/sz7HRy8NQRB8I1lOf3Je0UkWBxzfnJ8ICdXYmpSpGBQusHyhaPKNZP2sFAlg3zU Oo5Q== X-Gm-Message-State: AOPr4FUlQLNd8SyXSTALY3IMdii0XpPIHKV54VdJPaNkbFLXF4j/2V3Ec56h8ubpZp1YEiurrl+DDxi5UNlHrg== MIME-Version: 1.0 X-Received: by 10.28.60.5 with SMTP id j5mr11640778wma.47.1461784909692; Wed, 27 Apr 2016 12:21:49 -0700 (PDT) Received: by 10.28.183.131 with HTTP; Wed, 27 Apr 2016 12:21:49 -0700 (PDT) Date: Wed, 27 Apr 2016 16:21:49 -0300 Message-ID: Subject: Best option to process packet ACL From: =?UTF-8?Q?Z=C3=A9_Claudio_Pastore?= To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2016 19:21:51 -0000 Hello everyone, I would like to hear your suggestion regarding the best approach to process IP packets for filtering, in such a way I can avoid lowering my pps rate. Today a have a simple application proxies http application. It's dual threaded on a 4 core system with low CPU power. The current application uses two threads, one for control and one for data flow processing. I need to implement a simple set of stateless filtering, I will process only: - src-ip - dst-ip - src-port - dst-port - iplen - proto (tcp/udp/other) My current rate of requests per second is high, around 200K. I have no idea how I can leverage the IDLE CPUs the best way to implement this ACL filtering trying not to impact on the pps rate I have today. I have implemented it serial today (not threaded) and I get 40% performance loss. I will handle max 128 filter rules, this is a decision which is made. This is going to be first match wins. My current plans are to test: 1) Create 6 threads, one to test each aspect of the ACL (src-ip, dst-ip, etc) the first thread that returns false to parent thread I stop processing that rule and go to the next, and tell all other threads to die/exit since they don't matter anymore. 2) Create one thread to process a batch of rules, say, 8 rules per thread per request. Don't know if I would limit total number of threads and lock requests while threads ar e busy. 3) Someone suggested "do as pf/ipfw do" but I have no idea how it's done, how multithreaded it is and what is done on each thread. 4) Other suggestion? This is going to run FreeBSD 11, I use libevent2 on the current application so far. Thanks.