Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Mar 2007 16:02:43 -0500
From:      Kevin Day <toasty@dragondata.com>
To:        Julian Elischer <julian@elischer.org>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org
Subject:   Re: IPFW update frequency
Message-ID:  <98FE1AAF-DF19-43A8-A5B6-010C852AF489@dragondata.com>
In-Reply-To: <460D75CE.70804@elischer.org>
References:  <460D75CE.70804@elischer.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Mar 30, 2007, at 3:40 PM, Julian Elischer wrote:

> I have been looking at the IPFW code recently, especially with  
> respect to locking.
> There are some things that could be done to improve IPFW's  
> behaviour when processing packets, but some of these take a
> toll (there is always a toll) on the 'updating' side of things.
>
> For example. I can make IPFW lock-free during processing of packets  
> (i.e. not holding any locks while traversing the
> list) which would solve problems we have with lock-order reversals
> when it needs to look at the socket layer (which needs socket layer  
> locks). Unfortunatly this would make it a lot more expensive
> in the case where new rules are being added to the list. possibly a  
> LOT
> more expensive. Now, this would only matter if one was adding (or  
> deleting)
> hundreds of rules per second to the firewall, but as I've discovered,
> there's always SOMEONE that is doing the very thing you imagine that
> no-one would ever do.
>
> In my imagination, most of the people who did this sort of thing don't
> need to do it any more as tables obviate the need for that sort of  
> thing.
>
> Is there anyone out there who is adding hundreds (or even dozens)  
> of rules
> per second on a continuous basis, or who wants rule changing to
> be a really efficient operation?
> (does it matter to you if it takes a few milliSecs to add a rule?)
>
> Julian

Would this apply to "dynamic rules", using the keep-state keyword?  
That'd be a killer for us.

If not, the only problem I'd have is that my ipfw startup script adds  
about 20,000 rules on a reboot. 20,000 rules multiplied by any  
significant amount of time would be bad, just from a reboot-recovery- 
time angle. But, if it improved overall performance, I probably  
wouldn't mind too much. :)





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98FE1AAF-DF19-43A8-A5B6-010C852AF489>