ipfw cached ucred patch

Andre Oppermann andre at freebsd.org
Wed Jun 2 02:26:30 PDT 2004 

Christian S.J. Peron wrote:
> All,
> 
> Currently, when you have any rules which contain UID/GID
> constraints, ipfw will lock the pcb hash and do a lookup
> to find the pcb associated with that packet -- 
> One for each constraint.
> 
> I have written a patch in attempt to minimize the impact
> of PCB related lookups for these type of firewall rules.
> 
> This patch will have the following effects on firewalls which
> contain UID/GID constraints:
> 
>  o Greatly reduce the locking contention associated
>    with PCB lookups.
> 
>  o Increase the performance of firewall in general by making
>    PCB lookups O(1) rather than O(n) (where n represents
>    number of UID/GID constraints in the ruleset)
> 
> It would be greatly appriciated if people who are running ipfw
> rules sets containing UID/GID constraints tested this patch
> and reported any success or failures.
> 
> The patch can be downloaded from:
> 
> http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch

You can optimize it even further by directly copying the uid/gid
from the ucred while you hold the INP_LOCK.  There is no need to
hold on to the entire ucred.  It should be sufficient to do the
ucred lookup only once per packet in the ipfw code.  If you don't
find an INPCB for the packet you'll do a negative lookup for every
uid/gid rule.

> It also appears that ip_output passes a reference to the PCB.
> Perhaps we can hold a reference to the ucred stored in that
> entry and do away with lookups on outgoing packets all-together?

Yes, that would be possible but that weaves ipfw even tighter with
ip_output and I'm currently converting it to go through the pfil_hooks
mechanism.  Pfil_hooks does not allow such additional information to
be passed along directly.  What you could do is to pass a m_tag with
the numerical uid/gid along with locally generated packets to get the
same effect.  Here it would be good to co-ordinate with pf/ipfilter
guys so that they can use this m_tag too.  However for a first step
just redo the lookup once per packet if neccessary.

-- 
Andre

More information about the freebsd-ipfw mailing list