Date: Fri, 16 May 2008 08:33:11 +0400 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Bruce M. Simpson" <bms@FreeBSD.org> Cc: Vadim Goncharov <vadim_nuclight@mail.ru>, Vivek Khera <vivek@khera.org>, FreeBSD Stable <freebsd-stable@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: how much memory does increasing max rules for IPFW take up? Message-ID: <482D0E87.6000003@yandex.ru> In-Reply-To: <482C0A89.104@FreeBSD.org> References: <04EA1C34-AB7D-4A85-8A91-DED03E987706@khera.org> <482C07DE.3090504@yandex.ru> <482C0A89.104@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce M. Simpson wrote: > Got any figures for this? I took a quick glance and it looks like it > just uses a hash over dst/src/dport/sport. If there are a lot of raw IP > or ICMP flows then that's going to result in hash collisions. It's my guess, i haven't any figures.. Yes, hash collisions will trigger many searching in buckets lists. And increasing only dyn_max without increasing dyn_buckets will grow collisions. > It might be a good project for someone to optimize if it isn't scaling > for folk. "Bloomier" filters are probably worth a look -- bloom filters > are a class of probabilistic hash which may return a false positive, > "bloomier" filters are a refinement which tries to limit the false > positives. There were some ideas from Vadim Goncharov about rewriting dynamic rules implementation.. -- WBR, Andrey V. Elsukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482D0E87.6000003>