Date: Thu, 24 Aug 2006 14:32:04 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: Luigi Rizzo <rizzo@icir.org>, freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. Message-ID: <E1GGENQ-0008mi-2A@hetzner.co.za> In-Reply-To: Message from Ian FREISLICH <if@hetzner.co.za> of "Tue, 15 Aug 2006 15:21:32 %2B0200." <E1GCyrM-000MtP-W7@hetzner.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > > You're thinking somewhere on the lines of:
> > >
> > > skipto base hash-if <name pattern> from <number> to <number> delta <delta
> [offset <number>]
This is the syntax I've pretty much settled upon:
skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delta 100
Which for matching interfaces calculates the skipto target as:
1000 + (iface# + offset) * delta
If you're happy with this format, I'll update the ipfw manual page
and submit a patch for review and commit.
I'm now getting ~440kpps forwarded at about 35% interrupt CPU utilisation.
I'm going to have a bash at giving ifconfig a new option so that
packets can be injected into the firewall at the right point. I
have something like the following in mind:
ifconfig em1 ipfw_rule 1000
foo% ifconfig em1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
ether 00:04:23:ce:ca:a0
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
ipfw_rule: 1000
I expect this to reduce interrupt CPU overhead to about 8% at ~440kpps.
Ian
--
Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1GGENQ-0008mi-2A>