ipfw rules optimitsing

Fri Oct 17 16:56:04 UTC 2008

Julian Elischer пишет:
> Anatoliy wrote:
>> Greetings to all.
>>
>> I have a problem to optimise ipfw rules.
>> When I have started to search for the decision there were some questions
>> How it is possible to find out how many
>> loading gives this or that rule or all corrected as a whole.
>> Prompt as it better to make in practice?
>> As it would be desirable to learn as dynamic pipes the quantity 
>> influences productivity,
>> how many calculations in a second occur thus etc.
>> if what or sysctl displaying expressly or by implication it is 
>> variables the information?
>>
>> thnx, an sorry for bad English.
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
> This sounds like something that would be a useful project..
> (to profile ipfw)
>
> you could try kernel bb profiling if it still works or you could try 
> other ways to work it out..
where i can read about this "bb profiling"?
>
> So far we do not have this information so if you do it we would be
> very interested.
at now i use a simple sh script

but in not all whot i need ...

------ Script ------

[ ~/util]# cat ipfw_load.sh

printf "IPFW match/s\t act/s\t d_steps\t d_searches\t PFnat searches 
match\t\t CPU sys intrpt idle \n"
n=0;
while :
do
ipfw -T sho |awk '{print $4}'|sort -rn >/tmp/ipfw_timest
# geting time stamps

TS_FW_MAX=`head -1 /tmp/ipfw_timest`
# getting last time stamp

FW_ACT=`cat /tmp/ipfw_timest|grep ${TS_FW_MAX}|grep -c ""`
# couning activ rules

val1_rs=$((`ipfw sho |awk '{print $2"+"}'`0))
# how match pacets
val1_dnet_stps=`sysctl -n net.inet.ip.dummynet.search_steps`
# how match searches steps
val1_snet_searchs=`sysctl -n net.inet.ip.dummynet.searches`
# how match searches

sleep 1
val2_rs=$((`ipfw sho |awk '{print $2"+"}'`0))
# after 1s how match pacets
val2_dnet_stps=`sysctl -n net.inet.ip.dummynet.search_steps`
# after 1s how match searches steps
val2_snet_searchs=`sysctl -n net.inet.ip.dummynet.searches`
# after 1s how match searches

MPS=$(($val2_rs-$val1_rs))
# pps

DSTPSPS=$(($val2_dnet_stps-$val1_dnet_stps))
# dummynet searches steps per sec

DSRCHSPS=$(($val2_snet_searchs-$val1_snet_searchs))
# dummynet searches per sec

CPU_LD=`iostat -c 2 -t proc |tail +4|awk '{print $5" "$6" "$7}'`
# cpu load
PFNAT=`pfctl -si|grep -wE "(searches)|(match)"|sed s:\/s::|awk '{print 
$3}'|tr \\\n " "`
if [ $n -eq 10 ]; then
n=0
printf "\n IPFW match/s\t act/s\t d_steps\t d_searches\t PFnat searches 
match\t\t CPU sys intrpt idle \n"
fi

printf "${MPS}\t\t ${FW_ACT}\t ${DSTPSPS}\t\t ${DSRCHSPS}\t\t ${PFNAT}\t 
${CPU_LD} \n"
n=$(($n+1))
done