IPFW MAX RULES COUNT PERFORMANCE

Thu Apr 23 17:39:43 UTC 2009

Daniel Dias Gonçalves wrote:
> Hi,
> 
> My system is a FreeBSD 7.1R.
> When I add rules IPFW COUNT to 254 IPS from my network, one of my 
> interfaces increases the latency, causing large delays in the network, 
> when I delete COUNT rules, everything returns to normal, which can be ?
> 
> My script:

of course adding 512 rules, *all of which hav eto be evaluated* will 
add latency.

you have several ways to improve this situation.

1/ use a differnet tool.
By using the netgraph netflow module you can get
accunting information that may be more useful and less impactful.

2/ you could make your rules smarter..

use skipto rules to make the average packet traverse less rules..

off the top of my head.. (not tested..)

Assuming you have machines 10.0.0.1-10.0.0.254....
the rules below have an average packet traversing 19 rules and not 256 
for teh SYN packet and 2 rules for others..
you may not be able to do the keep state  trick if you use state for 
other stuff but in that case worst case will still be 19 rules.

2 check-state
5 skipto 10000 ip from not 10.0.0.0/24 to any
10 skipto 2020 ip from not 10.0.0.0/25 to any  # 0-128
20 skipto 1030 ip from not 10.0.0.0/26 to any  # 0-64
30 skipto 240 ip from not 10.0.0.0/27  to any  # 0-32
40 skipto 100 ip from not 10.0.0.0/28  to any  # 0-16
[16 count rules for 0-15]
80 skipto 10000 ip from any to any
100 [16 count rules for 16-31] keep-state
140 skipto 10000 ip from any to any
240 skipto 300 ip from not 10.0.0.32/28
     [16 rules for 32-47] keep-state
280 skipto 10000 ip from any to any
300 [16 count rules for 48-63] keep-state
340 skipto 10000 ip from any to any
1030 skipto 1240 ip from not 10.0.0.64/27 to any
1040 skipto 1100 ip from not 10.0.0.64/28 to any
    [16 count rules for 64-79] keep-state
1080 skipto 10000 ip from any to any
1100 [16 rules for 80-95] keep-state
1140 skipto 10000 ip from any to any
1240 skipto 1300 ip from not 10.0.0.96/28 to any
     [16 count rules for 96-111] keep-state
1280 skipto 10000 ip from any to any
1300 [16 rules for 112-127] keep-state
1340 skipto 10000 ip from any to any
2020 skipto 3030 ip from not 10.0.0.128/26 to any
2030 skipto 2240 ip from not 10.0.0.128/28 to any
     [16 count rules for 128-143] keep-state
2080 skipto 10000 ip from any to any
2100 [16 rules for 144-159] keep-state
2140 skipto 10000 ip from any to any
2240 skipto 2300 ip from not 10.0.0.32/28 to any
     [16 count rules for 160-175] keep-state
2280 skipto 10000 ip from any to any
2300 [16 count rules for 176-191] keep-state
2340 skipto 10000 ip from any to any
3030 skipto 3240 ip from not 10.0.0.192/27 to any
3040 skipto 3100 ip from not 10.0.0.192/28 to any
     [16 count rules for 192-207] keep-state
3080 skipto 10000 ip from any to any
3100 [16 rules for 208-223] keep-state
3240 skipto 10000 ip from any to any
3240 skipto 3300 ip from not 10.0.0.224/28 to any
     [16 count rules for 224-239] keep-state
3280 skipto 10000 ip from any to any
3300 [16 count rules for 240-255] keep-state
3340 skipto 10000 ip from any to any

10000 #other stuff

in fact you could improve it further with:
1/ either going down to a netmask of 29 (8 rules per set)
or
2/ instead of having count rules make them skipto
so you would have:
3300 skipto 10000 ip from 10.0.0.240 to any
3301 skipto 10000 ip from 10.0.0.241 to any
3302 skipto 10000 ip from 10.0.0.242 to any
3303 skipto 10000 ip from 10.0.0.243 to any
3304 skipto 10000 ip from 10.0.0.244 to any
3305 skipto 10000 ip from 10.0.0.245 to any
3306 skipto 10000 ip from 10.0.0.246 to any
3307 skipto 10000 ip from 10.0.0.247 to any
3308 skipto 10000 ip from 10.0.0.248 to any
3309 skipto 10000 ip from 10.0.0.249 to any
3310 skipto 10000 ip from 10.0.0.240 to any
3311 skipto 10000 ip from 10.0.0.241 to any
3312 skipto 10000 ip from 10.0.0.242 to any
3313 skipto 10000 ip from 10.0.0.243 to any
3314 skipto 10000 ip from 10.0.0.244 to any
3315 skipto 10000 ip from 10.0.0.245 to any

thus on average, a packet would traverse half the rules (8).

3/ both the above  so on average they would traverse  4 rules plus one 
extra skipto.

you should be  able to do the above in a script.
I'd love to see it..

(you can also do skipto tablearg in -current (maybe 7.2 too)
which may also be good.. (or not))

julian