Date: Wed, 2 Aug 2006 12:40:53 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ian FREISLICH <if@hetzner.co.za> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. Message-ID: <20060802124053.A22010@xorpc.icir.org> In-Reply-To: <E1G8F7j-000ICo-Pv@hetzner.co.za>; from if@hetzner.co.za on Wed, Aug 02, 2006 at 01:42:51PM %2B0200 References: <rizzo@icir.org> <E1G8F7j-000ICo-Pv@hetzner.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote: > Luigi Rizzo wrote: > > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote: > > ... > > > things. I can also give the ifp->if_index cache a go. Since I > > > need to virualise the firewall, I need a set of rules for each > > > interface. I can't think of another way of sharing the firewall > > > beween a few hundred customers than by doing this: > > > > that's too heavyweight, perhaps you need to implement a > > new microinstruction to hash the interface name and do an indirect > > jump to the right target. Although the syntax can be tricky, something > > like > > hash-if name:base:delta[,name:base:delta] > > > > where name is the basename of the interface (e.g. vlan) > > so that packets from interface fooX would jump to base+X*delta > > So, this will get performance to approach 120kpps, that will still > need to do a linear search of the rule set to find the next rule, > which I see I have to do anyway. For some reason I thought skipto > used a pointer to the next rule. skipto does use a pointer, and you are right, if one wants a high speed implementation the jump target should be looked up using a hash table as well (perhaps replacing the pointer in the rule itself). > You're thinking somewhere on the lines of: > > skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>] i did not consider the range in interface numbers, but that's a possibility, yes. On the other hand, i don't think one is going to write 500 different subsets of ipfw rules to handle the 500 different interfaces. another approach that was suggested long ago was to put, in the interface definition, a starting ipfw rule number so the ip_fw_chk() would start from there if available, rather than from rule 1. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060802124053.A22010>