IPFW MAX RULES COUNT PERFORMANCE

Julian Elischer julian at elischer.org
Fri Apr 24 21:58:16 UTC 2009 

Daniel Dias Gonçalves wrote:
> Very good thinking, congratulations, but my need is another.
> The objective is a Captive Porrtal that each authentication is 
> dynamically created a rule to ALLOW or COUNT IP authenticated, which I'm 
> testing is what is the maximum capacity of rules supported, therefore 
> simultaneous user.
> 
> Understand ?
> 
I think so.


do not add rules.
have a single rule that looks in a table
and add entries to the table when needed.

> Thanks,
> 
> Daniel
> 
> Julian Elischer escreveu:
>> Daniel Dias Gonçalves wrote:
>>> Hi,
>>>
>>> My system is a FreeBSD 7.1R.
>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my 
>>> interfaces increases the latency, causing large delays in the 
>>> network, when I delete COUNT rules, everything returns to normal, 
>>> which can be ?
>>>
>>> My script:
>>
>> of course adding 512 rules, *all of which hav eto be evaluated* will 
>> add latency.
>>
>> you have several ways to improve this situation.
>>
>> 1/ use a differnet tool.
>> By using the netgraph netflow module you can get
>> accunting information that may be more useful and less impactful.
>>
>> 2/ you could make your rules smarter..
>>
>> use skipto rules to make the average packet traverse less rules..
>>
>> off the top of my head.. (not tested..)
>>
>> Assuming you have machines 10.0.0.1-10.0.0.254....
>> the rules below have an average packet traversing 19 rules and not 256 
>> for teh SYN packet and 2 rules for others..
>> you may not be able to do the keep state  trick if you use state for 
>> other stuff but in that case worst case will still be 19 rules.
>>
>> 2 check-state
>> 5 skipto 10000 ip from not 10.0.0.0/24 to any
>> 10 skipto 2020 ip from not 10.0.0.0/25 to any  # 0-128
>> 20 skipto 1030 ip from not 10.0.0.0/26 to any  # 0-64
>> 30 skipto 240 ip from not 10.0.0.0/27  to any  # 0-32
>> 40 skipto 100 ip from not 10.0.0.0/28  to any  # 0-16
>> [16 count rules for 0-15]
>> 80 skipto 10000 ip from any to any
>> 100 [16 count rules for 16-31] keep-state
>> 140 skipto 10000 ip from any to any
>> 240 skipto 300 ip from not 10.0.0.32/28
>>     [16 rules for 32-47] keep-state
>> 280 skipto 10000 ip from any to any
>> 300 [16 count rules for 48-63] keep-state
>> 340 skipto 10000 ip from any to any
>> 1030 skipto 1240 ip from not 10.0.0.64/27 to any
>> 1040 skipto 1100 ip from not 10.0.0.64/28 to any
>>    [16 count rules for 64-79] keep-state
>> 1080 skipto 10000 ip from any to any
>> 1100 [16 rules for 80-95] keep-state
>> 1140 skipto 10000 ip from any to any
>> 1240 skipto 1300 ip from not 10.0.0.96/28 to any
>>     [16 count rules for 96-111] keep-state
>> 1280 skipto 10000 ip from any to any
>> 1300 [16 rules for 112-127] keep-state
>> 1340 skipto 10000 ip from any to any
>> 2020 skipto 3030 ip from not 10.0.0.128/26 to any
>> 2030 skipto 2240 ip from not 10.0.0.128/28 to any
>>     [16 count rules for 128-143] keep-state
>> 2080 skipto 10000 ip from any to any
>> 2100 [16 rules for 144-159] keep-state
>> 2140 skipto 10000 ip from any to any
>> 2240 skipto 2300 ip from not 10.0.0.32/28 to any
>>     [16 count rules for 160-175] keep-state
>> 2280 skipto 10000 ip from any to any
>> 2300 [16 count rules for 176-191] keep-state
>> 2340 skipto 10000 ip from any to any
>> 3030 skipto 3240 ip from not 10.0.0.192/27 to any
>> 3040 skipto 3100 ip from not 10.0.0.192/28 to any
>>     [16 count rules for 192-207] keep-state
>> 3080 skipto 10000 ip from any to any
>> 3100 [16 rules for 208-223] keep-state
>> 3240 skipto 10000 ip from any to any
>> 3240 skipto 3300 ip from not 10.0.0.224/28 to any
>>     [16 count rules for 224-239] keep-state
>> 3280 skipto 10000 ip from any to any
>> 3300 [16 count rules for 240-255] keep-state
>> 3340 skipto 10000 ip from any to any
>>
>> 10000 #other stuff
>>
>> in fact you could improve it further with:
>> 1/ either going down to a netmask of 29 (8 rules per set)
>> or
>> 2/ instead of having count rules make them skipto
>> so you would have:
>> 3300 skipto 10000 ip from 10.0.0.240 to any
>> 3301 skipto 10000 ip from 10.0.0.241 to any
>> 3302 skipto 10000 ip from 10.0.0.242 to any
>> 3303 skipto 10000 ip from 10.0.0.243 to any
>> 3304 skipto 10000 ip from 10.0.0.244 to any
>> 3305 skipto 10000 ip from 10.0.0.245 to any
>> 3306 skipto 10000 ip from 10.0.0.246 to any
>> 3307 skipto 10000 ip from 10.0.0.247 to any
>> 3308 skipto 10000 ip from 10.0.0.248 to any
>> 3309 skipto 10000 ip from 10.0.0.249 to any
>> 3310 skipto 10000 ip from 10.0.0.240 to any
>> 3311 skipto 10000 ip from 10.0.0.241 to any
>> 3312 skipto 10000 ip from 10.0.0.242 to any
>> 3313 skipto 10000 ip from 10.0.0.243 to any
>> 3314 skipto 10000 ip from 10.0.0.244 to any
>> 3315 skipto 10000 ip from 10.0.0.245 to any
>>
>> thus on average, a packet would traverse half the rules (8).
>>
>> 3/ both the above  so on average they would traverse  4 rules plus one 
>> extra skipto.
>>
>> you should be  able to do the above in a script.
>> I'd love to see it..
>>
>> (you can also do skipto tablearg in -current (maybe 7.2 too)
>> which may also be good.. (or not))
>>
>>
>> julian
>>
>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>

More information about the freebsd-net mailing list