From owner-freebsd-stable@FreeBSD.ORG  Sun May 18 07:26:48 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88AFF106564A;
	Sun, 18 May 2008 07:26:48 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id B26B38FC19;
	Sun, 18 May 2008 07:26:46 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id RAA09160;
	Sun, 18 May 2008 17:26:37 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sun, 18 May 2008 17:26:36 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Vivek Khera <vivek@khera.org>
In-Reply-To: <BC5FAC20-572B-4D50-92A3-609B3C398712@khera.org>
Message-ID: <Pine.BSF.3.96.1080518154815.1845A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-ipfw@freebsd.org, FreeBSD Stable <freebsd-stable@freebsd.org>
Subject: Re: how much memory does increasing max rules for IPFW take up?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 May 2008 07:26:48 -0000

On Fri, 16 May 2008, Vivek Khera wrote:

 > How are the buckets used?  Are they hashed per rule number or some  
 > other mechanism?  Nearly all of my states are from the same rule (eg,  
 > on a mail server for the SMTP port rule).

/sys/netinet/ip_fw.h
/sys/netinet/ip_fw2.c

Hashed per flow, (srcip^destip^srcport^dstport) mod curr_dyn_buckets, so
packets for both directions of a given flow hash to the same bucket.  In
the case you mention, you could likely expect reasonable distribution by
src_ip/src_port.

The rule number doesn't contribute to the hash, but is contained in the
dynamic rule entry, ie a matched flow resolves to its rule at the first
check_state or keep_state rule encountered.  Try searching for '_STATE'.

Each bucket just contains a pointer, so on i386 I'd expect 1KB per 256
buckets, see realloc_dynamic_table.  The 'pointees', ipfw_dyn_rule, are
around 70? bytes each with 32-bit pointers, so 4K current dynamic rules
should use around 280KB?  Somebody yell if I'm badly miscalculating ..

 > How should I scale the buckets with the max rules?  The default seems  
 > to be 4096 rules and 256 buckets.  Should I maintain that ratio?

Sounds reasonable.  Extra buckets look cheap, if I'm reading it right,
and memory otherwise appears to be only allocated on use, per new flow,
but I'm ignorant of any other memory allocation overheads.

caveats: 5.5 sources; C is read-only here; not subscribed to -ipfw

cheers, Ian