kern/156770: ipfw/dummynet: performance improvement and several
alter at alter.org.ua
Mon May 2 16:10:10 UTC 2011
>Synopsis: ipfw/dummynet: performance improvement and several extensions
>Arrival-Date: Mon May 02 16:10:10 UTC 2011
FreeBSD homecat.alter.org.ua 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #6: Sat Apr 23 12:52:20 EEST 2011
root at homecat.alter.org.ua:/usr/src/sys/i386/compile/CAT_v14c i386
# add commands zshow, replace
# option -Q for ignoring ALL errors in ruleset
# add 'skipto tablearg'
# add 'via table()', you can insert interface name into table
# add condition 'if-index' - number of interface (e.g. for vlan55 it would be 55)
# indexing of rules in kernel (index table) for fast handling of skipto tablearg, and effective add/remove of large amount of rules.
# mapped table - for tables containing many single IPs (e.g, /32) we perform large subnet lookup via b-tree (e.g, /23, controlled by sysctl net.inet.ip.fw.def_map_mlen), and inside each /23 perform table lookup. Works much faster.
# map table - hash-based division of large IP block on several small ones. For example, /16 can be divided into 256 subnets. We can do it by 3rd octet (hoffset 16, hlen 8). Also, we can do it by 4th octet (hoffset 24, hlen 8). hoffset defines number of the 1st bit of hash, hlen - hash length in bits. Also, we define base IP and netmask for map table to match large IP block.
# indexed pipe lookup table (controlled by sysctl net.inet.ip.dummynet.full_indexing)
# traffic counter/limiter - count-upd, count-check, count-exceed.
# nexthop ipfw action. In contrast to fwd it just sets next-hop for packet and continue rule procesing.
# optimized dummynet io_fast. Value 2 makes dummynet just forward packet without placing to the queue, if bandwith lemit is not exceeded. When value is set to 1 packet is added and then removed from queue (It is bit slower).
# it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic.
# Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet. All ftags are stored in single memory block as bitmap. Are faster than usual tags, those allocate separate memory block for each tag.
# Local ipfw tagging (ltag) - you can assign up to 32 ftags on packet. Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent to another interface, diverted or passed through pipe). The benefit is performance - ltag does not require memory allocation at all.
More information about the freebsd-bugs