ipfw cached ucred patch
Christian S.J. Peron
csjp at freebsd.org
Tue Jun 1 21:35:37 PDT 2004
All,
Currently, when you have any rules which contain UID/GID
constraints, ipfw will lock the pcb hash and do a lookup
to find the pcb associated with that packet --
One for each constraint.
I have written a patch in attempt to minimize the impact
of PCB related lookups for these type of firewall rules.
This patch will have the following effects on firewalls which
contain UID/GID constraints:
o Greatly reduce the locking contention associated
with PCB lookups.
o Increase the performance of firewall in general by making
PCB lookups O(1) rather than O(n) (where n represents
number of UID/GID constraints in the ruleset)
It would be greatly appriciated if people who are running ipfw
rules sets containing UID/GID constraints tested this patch
and reported any success or failures.
The patch can be downloaded from:
http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch
NOTE:
It also appears that ip_output passes a reference to the PCB.
Perhaps we can hold a reference to the ucred stored in that
entry and do away with lookups on outgoing packets all-together?
--
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer
More information about the freebsd-ipfw
mailing list