Date: Tue, 10 Aug 2021 12:14:46 +0000 From: alfadev via freebsd-hackers <freebsd-hackers@FreeBSD.org> To: Eugene Grosbein <eugen@grosbein.net>, "freebsd-hackers@FreeBSD.org" <freebsd-hackers@FreeBSD.org>, "frebsd-ipfw@FreeBSD.org" <frebsd-ipfw@FreeBSD.org>, "melifaro@freebsd.org" <melifaro@freebsd.org>, "ae@FreeBSD.org" <ae@FreeBSD.org> Subject: Re: Throughput extremely decreases when IPFW 7000 mac based rules activated Message-ID: <neSOZdFA6y8CEzX1HNFK8X3V_CZy8565V3zey1JH4muhgmxKjD4anQW4sX5KroF4M5HFu9vpbou7gSKYJUWklkQDhR0gOFzs-iRNt8tu6hQ=@protonmail.com> In-Reply-To: <7a737f3d-e291-e8a1-b629-09365a99c937@grosbein.net> References: <l4X4keiunQJV31eCpFqdbMySwywRGiWBB6PkAZ-xXmxy8rIfGVD_OVYCPi_X8YfmlMwslbRI3VcS4S9jkvmBS62PwFzMizEwIwwxxXD9FlQ=@protonmail.com> <7a737f3d-e291-e8a1-b629-09365a99c937@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks! > ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets tha= t have L2 header stripped already anyway > ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, M= AC-filter incoming only > Also, your 11.2 version is quite old and you may need to upgrade to 11.4-= STABLE at least to catch up with bugfixes and/or optimizations. > Also, if you do filtering bridge, you should carefully read if_bridge(4) = manual page, * I have added skipto rule for layer3 * I have to add both in and out allow pipe rules for each MAC Address to as= sign bandwidth per MAC * I also tried this configuration on FreeBSD 12.2 but no luck same problem = occurs. * I have no bridge configuration > that ipfw is not right tool for this task at the moment. * How can i overcome this problem without using IPFW? Thanks for any help .. Here is my configuration: ################################################# ipfw -q -f flush ipfw pipe 2 config bw 500000Kbit mask dst-ip 0xffffffff ipfw pipe 1002 config bw 500000Kbit mask src-ip 0xffffffff ipfw pipe 4 config bw 1024Kbit mask dst-ip 0xffffffff ipfw pipe 1004 config bw 1024Kbit mask src-ip 0xffffffff # Loopback allow ipfw -q add 1 allow all from any to any out via lo0 ipfw -q add 2 allow all from any to any in via lo0 # WAN Allow ipfw -q add 3 allow ip from any to any MAC any any via em0 ipfw -q add 4 allow ip from any to any via em0 # Layer2 em1 enable arp traffic ipfw -q add 5 allow ip from any to any layer2 mac-type arp via em1 ipfw -q add 6 skipto 64000 all from any to any not layer2 # Layer2 blocked mac ipfw -q add 1189 deny ip from any to any MAC 1c:cc:d6:42:5e:xx any via em1 ipfw -q add 2189 deny ip from any to any MAC any 1c:cc:d6:42:5e:xx via em1 ipfw -q add 1190 deny ip from any to any MAC 3c:dc:bc:ab:56:yy any via em1 ipfw -q add 2190 deny ip from any to any MAC any 3c:dc:bc:ab:56:yy via em1 ipfw -q add 1193 deny ip from any to any MAC 02:93:ca:4a:24:ab any via em1 ipfw -q add 5004 pipe 2 tag 1 ip from any to any MAC 78:67:d7:23:14:zz any = via em1 ipfw -q add 5005 pipe 1002 tag 1 ip from any to any MAC any 78:67:d7:23:14:= zz via em1 ... ... ... ... sample added mac address allow and pipe rules ... ... TOTAL 2500-3000 mac address in and out allow pipe rules ... ... ipfw -q add 12004 pipe 4 tag 1 ip from any to any MAC b8:37:e7:53:e4:qq any= via em1 ipfw -q add 12005 pipe 1004 tag 1 ip from any to any MAC any b8:37:e7:53:e4= :qq via em1 ipfw -q add 60000 allow ip from any to any MAC any any via em1 ... ... NOT tagged Mac address redirected block page ... ipfw -q add 65534 allow all from any to any ################################################# Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Tuesday, August 10th, 2021 at 8:08 AM, Eugene Grosbein <eugen@grosbein.n= et> wrote: > CC'ing more knowledgeable eyes that may have something to add. > > 09.08.2021 21:58, alfadev via freebsd-hackers wrote: > > > Hi, I have freebsd 11.2 server with IPFW firewall > > > > 870Mbits Fiber Net exist in my data center > > > > There are 7000 defined mac based rules on IPFW and 3000 of them active = client . There is no problem before IPFW rules loading but when i load IPFW= rules, > > > > throughput extremely decreases up to 80Mbits. There are not any error l= ogs. I could not find what is the problem. > > > > Any help would be appreciated at this point. > > The search over ipfw rules is linear, so no wonder it decreases drastical= ly when the list grows so big. > > Also, layer-2 frames and then layer-3 packets may pass over ipfw matching= process upto four times\ > > unless you carefully create your ruleset like this: > > ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets tha= t have L2 header stripped already anyway > > ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, M= AC-filter incoming only > > ipfw add 30 ... # start MAC-filtering here > > ... > > ipfw add 1000 ... # firewall part for layer3 packets > > Also, if you do filtering bridge, you should carefully read if_bridge(4) = manual page, > > section PACKET FILTERING and disable extra passes over packet filters suc= h as: > > sysctl net.link.bridge.pfil_member=3D0 # disable extra passes over ipfw r= uleset for bridge members, filter the bridge itself only > > Such ruleset could decrease filtering overhead several times but I'm afra= id > > that ipfw is not right tool for this task at the moment. > > ipfw has "tables" to optimize large list matching and they perform great = but for layer3 IP matching, not for layer2 MAC matching. > > Also, your 11.2 version is quite old and you may need to upgrade to 11.4-= STABLE at least to catch up with bugfixes and/or optimizations.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?neSOZdFA6y8CEzX1HNFK8X3V_CZy8565V3zey1JH4muhgmxKjD4anQW4sX5KroF4M5HFu9vpbou7gSKYJUWklkQDhR0gOFzs-iRNt8tu6hQ=>