Date: Tue, 25 Oct 2011 23:30:13 -0400 From: Michael Sierchio <kudzu@tenebras.com> To: Julian Elischer <julian@freebsd.org> Cc: Karim <fodillemlinkarim@gmail.com>, freebsd-ipfw@freebsd.org Subject: Re: ipfw rule processing performances Message-ID: <CAHu1Y71Lf8=x3=S8cf__aT2fxyv6eX_EBqZvybgzwi9Q%2BSfzRQ@mail.gmail.com> In-Reply-To: <4EA73BAB.70607@freebsd.org> References: <4EA6D78F.6010607@gmail.com> <4EA73BAB.70607@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 25, 2011 at 6:43 PM, Julian Elischer <julian@freebsd.org> wrote= : > I find that the structure of teh ruleset has a huge affect on the cpu usa= ge. > > for example I immediately split incoming and outgoing packets apart and s= end > them to different groups of rules. > I also have different groups of rules for internal and external rules. > so my rulesets usually start with: > > skipto 1000 =A0all from any to any in recv ${OUTSIDE_INTERFACE} > skipto 2000 all from any to any in recv ${INSIDE_INTERFACE} > skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE} > skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE} > allow all from any to any via lo0 > drop all from any to any > > I also try use tables whenever possible. I've found the same to be true, and use a scheme similar to what Julian describes - I have rules grouped based on interface and direction. Having larger tables and fewer table lookups is faster, in my experience - such that I have a big block list (~20,000 nets) and a small whitelist (~20 nets) ... - M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71Lf8=x3=S8cf__aT2fxyv6eX_EBqZvybgzwi9Q%2BSfzRQ>