ipfw performance and random musings.
Luigi Rizzo
rizzo at icir.org
Wed Aug 2 19:40:57 UTC 2006
On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> > ...
> > > things. I can also give the ifp->if_index cache a go. Since I
> > > need to virualise the firewall, I need a set of rules for each
> > > interface. I can't think of another way of sharing the firewall
> > > beween a few hundred customers than by doing this:
> >
> > that's too heavyweight, perhaps you need to implement a
> > new microinstruction to hash the interface name and do an indirect
> > jump to the right target. Although the syntax can be tricky, something
> > like
> > hash-if name:base:delta[,name:base:delta]
> >
> > where name is the basename of the interface (e.g. vlan)
> > so that packets from interface fooX would jump to base+X*delta
>
> So, this will get performance to approach 120kpps, that will still
> need to do a linear search of the rule set to find the next rule,
> which I see I have to do anyway. For some reason I thought skipto
> used a pointer to the next rule.
skipto does use a pointer, and you are right, if one wants a high speed
implementation the jump target should be looked up using a hash
table as well (perhaps replacing the pointer in the rule itself).
> You're thinking somewhere on the lines of:
>
> skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>]
i did not consider the range in interface numbers,
but that's a possibility, yes.
On the other hand, i don't think one is going to write
500 different subsets of ipfw rules to handle the 500
different interfaces.
another approach that was suggested long ago was to put, in
the interface definition, a starting ipfw rule number so
the ip_fw_chk() would start from there if available,
rather than from rule 1.
cheers
luigi
More information about the freebsd-ipfw
mailing list