From owner-freebsd-bugs@FreeBSD.ORG Mon May 2 16:10:10 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A24C51065673 for ; Mon, 2 May 2011 16:10:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7F2278FC25 for ; Mon, 2 May 2011 16:10:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p42GAAs6042118 for ; Mon, 2 May 2011 16:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p42GAAjd042117; Mon, 2 May 2011 16:10:10 GMT (envelope-from gnats) Resent-Date: Mon, 2 May 2011 16:10:10 GMT Resent-Message-Id: <201105021610.p42GAAjd042117@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexandr Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8223A1065674 for ; Mon, 2 May 2011 16:08:06 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 56D798FC12 for ; Mon, 2 May 2011 16:08:06 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p42G86DD043675 for ; Mon, 2 May 2011 16:08:06 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p42G86IW043674; Mon, 2 May 2011 16:08:06 GMT (envelope-from nobody) Message-Id: <201105021608.p42G86IW043674@red.freebsd.org> Date: Mon, 2 May 2011 16:08:06 GMT From: Alexandr To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/156770: ipfw/dummynet: performance improvement and several extensions X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 16:10:10 -0000 >Number: 156770 >Category: kern >Synopsis: ipfw/dummynet: performance improvement and several extensions >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon May 02 16:10:10 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Alexandr >Release: 7.2-RELEASE-p8 >Organization: NetAssist >Environment: FreeBSD homecat.alter.org.ua 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #6: Sat Apr 23 12:52:20 EEST 2011 root@homecat.alter.org.ua:/usr/src/sys/i386/compile/CAT_v14c i386 >Description: # add commands zshow, replace # option -Q for ignoring ALL errors in ruleset # add 'skipto tablearg' # add 'via table()', you can insert interface name into table # add condition 'if-index' - number of interface (e.g. for vlan55 it would be 55) # indexing of rules in kernel (index table) for fast handling of skipto tablearg, and effective add/remove of large amount of rules. # mapped table - for tables containing many single IPs (e.g, /32) we perform large subnet lookup via b-tree (e.g, /23, controlled by sysctl net.inet.ip.fw.def_map_mlen), and inside each /23 perform table lookup. Works much faster. # map table - hash-based division of large IP block on several small ones. For example, /16 can be divided into 256 subnets. We can do it by 3rd octet (hoffset 16, hlen 8). Also, we can do it by 4th octet (hoffset 24, hlen 8). hoffset defines number of the 1st bit of hash, hlen - hash length in bits. Also, we define base IP and netmask for map table to match large IP block. # indexed pipe lookup table (controlled by sysctl net.inet.ip.dummynet.full_indexing) # traffic counter/limiter - count-upd, count-check, count-exceed. # nexthop ipfw action. In contrast to fwd it just sets next-hop for packet and continue rule procesing. # optimized dummynet io_fast. Value 2 makes dummynet just forward packet without placing to the queue, if bandwith lemit is not exceeded. When value is set to 1 packet is added and then removed from queue (It is bit slower). # it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic. # Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet. All ftags are stored in single memory block as bitmap. Are faster than usual tags, those allocate separate memory block for each tag. # Local ipfw tagging (ltag) - you can assign up to 32 ftags on packet. Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent to another interface, diverted or passed through pipe). The benefit is performance - ltag does not require memory allocation at all. >How-To-Repeat: >Fix: http://alter.org.ua/soft/fbsd/ipfw/ipfw.72.20110501.patch.gz >Release-Note: >Audit-Trail: >Unformatted: