Date: Tue, 25 Oct 2011 15:43:55 -0700 From: Julian Elischer <julian@freebsd.org> To: Karim <fodillemlinkarim@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rule processing performances Message-ID: <4EA73BAB.70607@freebsd.org> In-Reply-To: <4EA6D78F.6010607@gmail.com> References: <4EA6D78F.6010607@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/25/11 8:36 AM, Karim wrote: > Hi all, > > I am using ipfw with a fairly small amount of rules (~200). Most of > those are skipto rules to different blocking and pass-through > blocks. I use ipfw tags, ALTQ, nat, fwd and several deny and allow > rules and I do not use/need tables. > > What I find is around 400Mbps of traffic (~40kpps) an extremely high > amount of cpu usage related to firewall processing. > > What I would like to know is if there is an ongoing work to optimise > ipfw and/or gather ideas on how to do that. > > I realise my question has a large scope but I am not interested in > optimizing my ruleset I'd like to get a feel for how code wise the > current processing could be optimized (using multiple input TX/RX > queues for example, etc...). > > Thanks, > > Karim. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" I find that the structure of teh ruleset has a huge affect on the cpu usage. for example I immediately split incoming and outgoing packets apart and send them to different groups of rules. I also have different groups of rules for internal and external rules. so my rulesets usually start with: skipto 1000 all from any to any in recv ${OUTSIDE_INTERFACE} skipto 2000 all from any to any in recv ${INSIDE_INTERFACE} skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE} skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE} allow all from any to any via lo0 drop all from any to any I also try use tables whenever possible.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EA73BAB.70607>