IPFW MAX RULES COUNT PERFORMANCE

Daniel Dias Gonçalves ddg at yan.com.br
Fri Apr 24 15:35:05 UTC 2009 

Very good thinking, congratulations, but my need is another.
The objective is a Captive Porrtal that each authentication is 
dynamically created a rule to ALLOW or COUNT IP authenticated, which I'm 
testing is what is the maximum capacity of rules supported, therefore 
simultaneous user.

Understand ?

Thanks,

Daniel

Julian Elischer escreveu:
> Daniel Dias Gonçalves wrote:
>> Hi,
>>
>> My system is a FreeBSD 7.1R.
>> When I add rules IPFW COUNT to 254 IPS from my network, one of my 
>> interfaces increases the latency, causing large delays in the 
>> network, when I delete COUNT rules, everything returns to normal, 
>> which can be ?
>>
>> My script:
>
> of course adding 512 rules, *all of which hav eto be evaluated* will 
> add latency.
>
> you have several ways to improve this situation.
>
> 1/ use a differnet tool.
> By using the netgraph netflow module you can get
> accunting information that may be more useful and less impactful.
>
> 2/ you could make your rules smarter..
>
> use skipto rules to make the average packet traverse less rules..
>
> off the top of my head.. (not tested..)
>
> Assuming you have machines 10.0.0.1-10.0.0.254....
> the rules below have an average packet traversing 19 rules and not 256 
> for teh SYN packet and 2 rules for others..
> you may not be able to do the keep state  trick if you use state for 
> other stuff but in that case worst case will still be 19 rules.
>
> 2 check-state
> 5 skipto 10000 ip from not 10.0.0.0/24 to any
> 10 skipto 2020 ip from not 10.0.0.0/25 to any  # 0-128
> 20 skipto 1030 ip from not 10.0.0.0/26 to any  # 0-64
> 30 skipto 240 ip from not 10.0.0.0/27  to any  # 0-32
> 40 skipto 100 ip from not 10.0.0.0/28  to any  # 0-16
> [16 count rules for 0-15]
> 80 skipto 10000 ip from any to any
> 100 [16 count rules for 16-31] keep-state
> 140 skipto 10000 ip from any to any
> 240 skipto 300 ip from not 10.0.0.32/28
>     [16 rules for 32-47] keep-state
> 280 skipto 10000 ip from any to any
> 300 [16 count rules for 48-63] keep-state
> 340 skipto 10000 ip from any to any
> 1030 skipto 1240 ip from not 10.0.0.64/27 to any
> 1040 skipto 1100 ip from not 10.0.0.64/28 to any
>    [16 count rules for 64-79] keep-state
> 1080 skipto 10000 ip from any to any
> 1100 [16 rules for 80-95] keep-state
> 1140 skipto 10000 ip from any to any
> 1240 skipto 1300 ip from not 10.0.0.96/28 to any
>     [16 count rules for 96-111] keep-state
> 1280 skipto 10000 ip from any to any
> 1300 [16 rules for 112-127] keep-state
> 1340 skipto 10000 ip from any to any
> 2020 skipto 3030 ip from not 10.0.0.128/26 to any
> 2030 skipto 2240 ip from not 10.0.0.128/28 to any
>     [16 count rules for 128-143] keep-state
> 2080 skipto 10000 ip from any to any
> 2100 [16 rules for 144-159] keep-state
> 2140 skipto 10000 ip from any to any
> 2240 skipto 2300 ip from not 10.0.0.32/28 to any
>     [16 count rules for 160-175] keep-state
> 2280 skipto 10000 ip from any to any
> 2300 [16 count rules for 176-191] keep-state
> 2340 skipto 10000 ip from any to any
> 3030 skipto 3240 ip from not 10.0.0.192/27 to any
> 3040 skipto 3100 ip from not 10.0.0.192/28 to any
>     [16 count rules for 192-207] keep-state
> 3080 skipto 10000 ip from any to any
> 3100 [16 rules for 208-223] keep-state
> 3240 skipto 10000 ip from any to any
> 3240 skipto 3300 ip from not 10.0.0.224/28 to any
>     [16 count rules for 224-239] keep-state
> 3280 skipto 10000 ip from any to any
> 3300 [16 count rules for 240-255] keep-state
> 3340 skipto 10000 ip from any to any
>
> 10000 #other stuff
>
> in fact you could improve it further with:
> 1/ either going down to a netmask of 29 (8 rules per set)
> or
> 2/ instead of having count rules make them skipto
> so you would have:
> 3300 skipto 10000 ip from 10.0.0.240 to any
> 3301 skipto 10000 ip from 10.0.0.241 to any
> 3302 skipto 10000 ip from 10.0.0.242 to any
> 3303 skipto 10000 ip from 10.0.0.243 to any
> 3304 skipto 10000 ip from 10.0.0.244 to any
> 3305 skipto 10000 ip from 10.0.0.245 to any
> 3306 skipto 10000 ip from 10.0.0.246 to any
> 3307 skipto 10000 ip from 10.0.0.247 to any
> 3308 skipto 10000 ip from 10.0.0.248 to any
> 3309 skipto 10000 ip from 10.0.0.249 to any
> 3310 skipto 10000 ip from 10.0.0.240 to any
> 3311 skipto 10000 ip from 10.0.0.241 to any
> 3312 skipto 10000 ip from 10.0.0.242 to any
> 3313 skipto 10000 ip from 10.0.0.243 to any
> 3314 skipto 10000 ip from 10.0.0.244 to any
> 3315 skipto 10000 ip from 10.0.0.245 to any
>
> thus on average, a packet would traverse half the rules (8).
>
> 3/ both the above  so on average they would traverse  4 rules plus one 
> extra skipto.
>
> you should be  able to do the above in a script.
> I'd love to see it..
>
> (you can also do skipto tablearg in -current (maybe 7.2 too)
> which may also be good.. (or not))
>
>
> julian
>
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>

More information about the freebsd-net mailing list