Date: Mon, 31 Jul 2006 14:15:56 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: freebsd-ipfw@FreeBSD.org Subject: ipfw performance and random musings. Message-ID: <E1G7Wge-0005G0-7G@hetzner.co.za>
next in thread | raw e-mail | index | archive | help
Hi
I was wondering if anyone here had any ideas for improving the
performance (packet rate) of ipfw.
I have about 500 interfaces on my firewall and I need to match and
filter packets on a per interface basis.
I've found that while the server can move in excess of 360kpps
bewteen arbitrary interfaces using about 5% CPU, if I turn on the
firewall, my average packet rate falls off to about 60kpps on a UP
system and 90kpps on a SMP system. The maximum rate I can forward
packets with ipfw enabled is 120kpps and that is with 1 rule allowing
ip from any to any. At these maximum rates, CPU utilization is
close to 100% on both CPUs in the interrupt handler.
This low packet rate and high CPU utilization does not make the
system effective (for other users) while filtering a DoS attack
perpetrated by a host behind the firewall.
Perhaps these are 2 easy wins:
1. Change the order of the case statements in ipfw_chk() to move
more frequently used items to the top. The options seem to
have been added mostly in chronological feature order, rather
than reverse most frequently used order.
2. Caching of ifp->if_index in the rule 'microinstructions' to
remove the need for a strncmp to match interface names. Might
be tricky if interfaces are destroyed and recreated without
invalidating this cache.
Then, state is not interface aware. I have used this effect to
inject packets from one network to another where the rules on the
other interface specifically deny these packets. There is a patch
in kern/97951 to fix this problem.
Ian
--
Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1G7Wge-0005G0-7G>