Date: Tue, 28 Apr 2009 11:40:48 +0800 From: Adrian Chadd <adrian@freebsd.org> To: ddg@yan.com.br Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE Message-ID: <d763ac660904272040o520b23d0j9d60df98bf570dd8@mail.gmail.com> In-Reply-To: <49F5DBB3.6030500@yan.com.br> References: <49F06985.1000303@yan.com.br> <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com> <49F5DBB3.6030500@yan.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
You may want to investigate using pf; i'm not sure whether they handle
this better.
Me, I'd investigate writing a "tree" ipfw rule type. Ie, instead of
having a list of rules, all evaluated one at a time, I'd create a rule
implementing a subrule match on ip/netmask with some kind of action
(allow, deny, count, pipe, etc) rather than having it all be evaluated
O(n) style.
2c,
Adrian
2009/4/28 Daniel Dias Gon=E7alves <ddg@yan.com.br>:
> Going to another example.
> If I wanted that each authentication (username and password) in captive
> portal, set up rules limiting the speed of the user's IP, as I do? I can
> create two rules for the in / out for each user associated with a pipe? W=
hen
> simulating this with a script adding hundreds of rules, the latency also
> increases, as resolve this ?
>
> Adrian Chadd escreveu:
>>
>> You'd almost certainly be better off hacking up an extension to ipfw
>> which lets you count a /24 in one rule.
>>
>> As in, the count rule would match on the subnet/netmask, have 256 32
>> (or 64 bit) integers allocated to record traffic in, and then do an
>> O(1) operation using the last octet of the v4 address to map it into
>> this 256 slot array to update counters for.
>>
>> It'd require a little tool hackery to extend ipfw in userland/kernel
>> space to do it but it would work and be (very almost) just as fast as
>> a single rule.
>>
>> 2c,
>>
>>
>>
>> Adrian
>>
>> 2009/4/23 Daniel Dias Gon=E7alves <ddg@yan.com.br>:
>>
>>>
>>> Hi,
>>>
>>> My system is a FreeBSD 7.1R.
>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my
>>> interfaces
>>> increases the latency, causing large delays in the network, when I dele=
te
>>> COUNT rules, everything returns to normal, which can be ?
>>>
>>> My script:
>>>
>>> ipcount.php
>>> -- CUT --
>>> <?
>>> $c=3D0;
>>> $a=3D50100;
>>> for($x=3D0;$x<=3D0;$x++) {
>>> =A0 =A0 =A0for($y=3D1;$y<=3D254;$y++) {
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$ip =3D "192.168.$x.$y";
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0system("/sbin/ipfw -q add $a count { tcp or =
udp } from any
>>> to
>>> $ip/32");
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0system("/sbin/ipfw -q add $a count { tcp or =
udp } from
>>> $ip/32
>>> to any");
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0#system("/sbin/ipfw delete $a");
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$c++;
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0$a++;
>>> =A0 =A0 =A0}
>>> }
>>> echo "\n\nTotal: $c\n";
>>> ?>
>>> -- CUT --
>>>
>>> net.inet.ip.fw.dyn_keepalive: 1
>>> net.inet.ip.fw.dyn_short_lifetime: 5
>>> net.inet.ip.fw.dyn_udp_lifetime: 10
>>> net.inet.ip.fw.dyn_rst_lifetime: 1
>>> net.inet.ip.fw.dyn_fin_lifetime: 1
>>> net.inet.ip.fw.dyn_syn_lifetime: 20
>>> net.inet.ip.fw.dyn_ack_lifetime: 300
>>> net.inet.ip.fw.static_count: 262
>>> net.inet.ip.fw.dyn_max: 10000
>>> net.inet.ip.fw.dyn_count: 0
>>> net.inet.ip.fw.curr_dyn_buckets: 256
>>> net.inet.ip.fw.dyn_buckets: 10000
>>> net.inet.ip.fw.default_rule: 65535
>>> net.inet.ip.fw.verbose_limit: 0
>>> net.inet.ip.fw.verbose: 1
>>> net.inet.ip.fw.debug: 0
>>> net.inet.ip.fw.one_pass: 1
>>> net.inet.ip.fw.autoinc_step: 100
>>> net.inet.ip.fw.enable: 1
>>> net.link.ether.ipfw: 1
>>> net.link.bridge.ipfw: 0
>>> net.link.bridge.ipfw_arp: 0
>>>
>>> Thanks,
>>>
>>> Daniel
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>>
>>>
>>
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>
>>
>>
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d763ac660904272040o520b23d0j9d60df98bf570dd8>