From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 1 12:42:40 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5B2C316A402 for ; Sun, 1 Apr 2007 12:42:40 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6FDC713C465 for ; Sun, 1 Apr 2007 12:42:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2A7B746FC2; Sun, 1 Apr 2007 08:19:18 -0400 (EDT) Date: Sun, 1 Apr 2007 13:19:18 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Julian Elischer In-Reply-To: <460D75CE.70804@elischer.org> Message-ID: <20070401131715.H1185@fledge.watson.org> References: <460D75CE.70804@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: IPFW update frequency X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2007 12:42:40 -0000 On Fri, 30 Mar 2007, Julian Elischer wrote: > I have been looking at the IPFW code recently, especially with respect to > locking. There are some things that could be done to improve IPFW's > behaviour when processing packets, but some of these take a toll (there is > always a toll) on the 'updating' side of things. > > For example. I can make IPFW lock-free during processing of packets (i.e. > not holding any locks while traversing the list) which would solve problems > we have with lock-order reversals when it needs to look at the socket layer > (which needs socket layer locks). Unfortunatly this would make it a lot more > expensive in the case where new rules are being added to the list. possibly > a LOT more expensive. Now, this would only matter if one was adding (or > deleting) hundreds of rules per second to the firewall, but as I've > discovered, there's always SOMEONE that is doing the very thing you imagine > that no-one would ever do. > > In my imagination, most of the people who did this sort of thing don't need > to do it any more as tables obviate the need for that sort of thing. > > Is there anyone out there who is adding hundreds (or even dozens) of rules > per second on a continuous basis, or who wants rule changing to be a really > efficient operation? (does it matter to you if it takes a few milliSecs to > add a rule?) Just to make sure this hits the public thread also, as I know we've talked about it privately: Stephan Upholf has an implementation of a mostly-read lock in the works, which avoids any atomic operations during acquisition of a read reference, at the cost of increasing the cost of write lock acquires. This might provide what we need without fundamentally restructuring ipfw. It would be useful, once that is available, to examine the costs and benefits of both approaches side-by-side. Historically, I've been quite interested in doing something like that you describe, but the complexity cost is high, so if we can make a simpler solution (mrlocks) work just as well, that would be preferable. Robert N M Watson Computer Laboratory University of Cambridge