From owner-freebsd-ipfw@FreeBSD.ORG  Thu Aug 17 20:40:18 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A72B816A4E6
	for <freebsd-ipfw@freebsd.org>; Thu, 17 Aug 2006 20:40:18 +0000 (UTC)
	(envelope-from if@hetzner.co.za)
Received: from hetzner.co.za (office.cpt2.your-server.co.za [196.7.147.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B69DA43D5E
	for <freebsd-ipfw@freebsd.org>; Thu, 17 Aug 2006 20:40:11 +0000 (GMT)
	(envelope-from if@hetzner.co.za)
Received: from localhost ([127.0.0.1] helo=ian.hetzner.africa)
	by hetzner.co.za with esmtp (Exim 4.62 (FreeBSD))
	(envelope-from <if@hetzner.co.za>)
	id 1GCyrM-000MtP-W7; Tue, 15 Aug 2006 15:21:32 +0200
To: Luigi Rizzo <rizzo@icir.org>
From: Ian FREISLICH <if@hetzner.co.za>
In-Reply-To: Message from Luigi Rizzo <rizzo@icir.org> of "Wed,
	02 Aug 2006 12:40:53 MST." <20060802124053.A22010@xorpc.icir.org> 
X-Attribution: BOFH
Date: Tue, 15 Aug 2006 15:21:32 +0200
Message-Id: <E1GCyrM-000MtP-W7@hetzner.co.za>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw performance and random musings. 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2006 20:40:18 -0000

Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > You're thinking somewhere on the lines of:
> > 
> > skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>]
> 
> i did not consider the range in interface numbers,
> but that's a possibility, yes.

That's the only way to do this to eliminate yet another linear
search in the firewall processing.

> On the other hand, i don't think one is going to write
> 500 different subsets of ipfw rules to handle the 500
> different interfaces.

This is exactly what I'm doing.  My routers have hundreds of
interfaces and my customers can edit rules that apply to only their
interface.  I need to make the firewall go faster because one host
on a 100M ethernet can fully occupy ipfw's attention.

> another approach that was suggested long ago was to put, in
> the interface definition, a starting ipfw rule number so
> the ip_fw_chk() would start from there if available,
> rather than from rule 1.

Do you have a quick-start on how I would go about doing this?  I
am not familiar with how packets get from the NIC into the firewall
and how I would get this information from the interface to the
firewall.  I can then figure out which will be within my grasp.

Ian

--
Ian Freislich