Date: Mon, 10 Nov 2003 00:18:01 -0800 From: "'Luigi Rizzo'" <rizzo@icir.org> To: Artis Caune <ac-lists@latnet.lv> Cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time Message-ID: <20031110001801.A67328@xorpc.icir.org> In-Reply-To: <20031110080053.5A99543F3F@mx1.FreeBSD.org>; from ac-lists@latnet.lv on Mon, Nov 10, 2003 at 09:59:29AM %2B0200 References: <20031106033919.A65661@xorpc.icir.org> <20031110080053.5A99543F3F@mx1.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 10, 2003 at 09:59:29AM +0200, Artis Caune wrote: > "-Nq" speed up a little bit, thanks > > We need individual pipes for each client, > because they are different organizations > and pay different price for different speed > pipes. (international traffic) We have /16 prefix ;) i understand that, what i meant is that i believe you only have a handful (say S) of different speeds and a handful (say L) of prefix lengths, so you could just create 2*S*L pipes with masks and pass traffic for the various clients to these pipes. This would make your ruleset a lot more efficient. > we use "skipto" to devide our /16 prefix in pieces: > add 2 skipto 100 all from any to 159.148.0.0/24 > add 2 skipto 200 all from any to 159.148.1.0/24 > ... > add 2 skipto N all from any to 159.148.255.0/24 > > This is just example, wee need more planning. > > > pf can load 50000 rules in about 5-7sec. > ipfw need about 25-35min to load 30000 rules. hmm... i believe you should really follow the suggestion that someone else posted and use the ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname command format to load all rules at once. cheers luigi > > > > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Luigi Rizzo > Sent: ceturtdiena, 2003. gada 6. novembri 13:39 > To: Artis Caune > Cc: freebsd-ipfw@freebsd.org > Subject: Re: loading lot of rules takes very long time > > most likely, because you are not using "-n", the printing > code will use the nameserver to try and resolve addresses, and > if halfway through you are limiting/blocking access to the > nameserver you incur in timeouts. > > To tell the truth i suspect you have a quite poorly designed > ruleset if you are adding individual rules and pipes for each > client. Almost surely you should make use of masks in pipes, > and address sets in rules, to reduce the size of your ruleset > to something manageable and efficient. > > cheers > luigi > > > On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > > Hello, > > > > We have about 10000-20000 pipes for > > different subnets, and it takes very long > > time to load them - about 10-15min. > > > > 92.8% interrupt, 0.0% idle > > > > strange that things slow down when count > > reaches 2000-2500 rules. > > > > is there something we can do to speed things up? > > > > rules are added like: > > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > > ipfw pipe 1 config bw 30Kbytes/s queue 10 > > ... > > soo 'ipfw' is invoked '2 x client_count' !!! > > > > maybe ipfw need feature like: > > ipfw -f /etc/rc.firewall > > > > > > > > # FreeBSD-4.9, IPFW2, > > # HZ=2000, DEVICE_POLLING, > > # 1G RAM, 2.4xeon on Intel server board > > > > > > > > > > > > ..... > > Artis > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031110001801.A67328>