From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 2 19:40:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D381316A4DE for ; Wed, 2 Aug 2006 19:40:57 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id A641443D66 for ; Wed, 2 Aug 2006 19:40:54 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k72Jer21022312; Wed, 2 Aug 2006 12:40:53 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k72Jerd8022311; Wed, 2 Aug 2006 12:40:53 -0700 (PDT) (envelope-from rizzo) Date: Wed, 2 Aug 2006 12:40:53 -0700 From: Luigi Rizzo To: Ian FREISLICH Message-ID: <20060802124053.A22010@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from if@hetzner.co.za on Wed, Aug 02, 2006 at 01:42:51PM +0200 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 19:40:57 -0000 On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote: > Luigi Rizzo wrote: > > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote: > > ... > > > things. I can also give the ifp->if_index cache a go. Since I > > > need to virualise the firewall, I need a set of rules for each > > > interface. I can't think of another way of sharing the firewall > > > beween a few hundred customers than by doing this: > > > > that's too heavyweight, perhaps you need to implement a > > new microinstruction to hash the interface name and do an indirect > > jump to the right target. Although the syntax can be tricky, something > > like > > hash-if name:base:delta[,name:base:delta] > > > > where name is the basename of the interface (e.g. vlan) > > so that packets from interface fooX would jump to base+X*delta > > So, this will get performance to approach 120kpps, that will still > need to do a linear search of the rule set to find the next rule, > which I see I have to do anyway. For some reason I thought skipto > used a pointer to the next rule. skipto does use a pointer, and you are right, if one wants a high speed implementation the jump target should be looked up using a hash table as well (perhaps replacing the pointer in the rule itself). > You're thinking somewhere on the lines of: > > skipto base hash-if from to delta [offset ] i did not consider the range in interface numbers, but that's a possibility, yes. On the other hand, i don't think one is going to write 500 different subsets of ipfw rules to handle the 500 different interfaces. another approach that was suggested long ago was to put, in the interface definition, a starting ipfw rule number so the ip_fw_chk() would start from there if available, rather than from rule 1. cheers luigi