IPFW MAX RULES COUNT PERFORMANCE

Daniel Dias Gonçalves ddg at yan.com.br
Mon Apr 27 16:24:22 UTC 2009 

Going to another example.
If I wanted that each authentication (username and password) in captive 
portal, set up rules limiting the speed of the user's IP, as I do? I can 
create two rules for the in / out for each user associated with a pipe? 
When simulating this with a script adding hundreds of rules, the latency 
also increases, as resolve this ?

Adrian Chadd escreveu:
> You'd almost certainly be better off hacking up an extension to ipfw
> which lets you count a /24 in one rule.
>
> As in, the count rule would match on the subnet/netmask, have 256 32
> (or 64 bit) integers allocated to record traffic in, and then do an
> O(1) operation using the last octet of the v4 address to map it into
> this 256 slot array to update counters for.
>
> It'd require a little tool hackery to extend ipfw in userland/kernel
> space to do it but it would work and be (very almost) just as fast as
> a single rule.
>
> 2c,
>
>
>
> Adrian
>
> 2009/4/23 Daniel Dias Gonçalves <ddg at yan.com.br>:
>   
>> Hi,
>>
>> My system is a FreeBSD 7.1R.
>> When I add rules IPFW COUNT to 254 IPS from my network, one of my interfaces
>> increases the latency, causing large delays in the network, when I delete
>> COUNT rules, everything returns to normal, which can be ?
>>
>> My script:
>>
>> ipcount.php
>> -- CUT --
>> <?
>> $c=0;
>> $a=50100;
>> for($x=0;$x<=0;$x++) {
>>       for($y=1;$y<=254;$y++) {
>>               $ip = "192.168.$x.$y";
>>               system("/sbin/ipfw -q add $a count { tcp or udp } from any to
>> $ip/32");
>>               system("/sbin/ipfw -q add $a count { tcp or udp } from $ip/32
>> to any");
>>               #system("/sbin/ipfw delete $a");
>>               $c++;
>>               $a++;
>>       }
>> }
>> echo "\n\nTotal: $c\n";
>> ?>
>> -- CUT --
>>
>> net.inet.ip.fw.dyn_keepalive: 1
>> net.inet.ip.fw.dyn_short_lifetime: 5
>> net.inet.ip.fw.dyn_udp_lifetime: 10
>> net.inet.ip.fw.dyn_rst_lifetime: 1
>> net.inet.ip.fw.dyn_fin_lifetime: 1
>> net.inet.ip.fw.dyn_syn_lifetime: 20
>> net.inet.ip.fw.dyn_ack_lifetime: 300
>> net.inet.ip.fw.static_count: 262
>> net.inet.ip.fw.dyn_max: 10000
>> net.inet.ip.fw.dyn_count: 0
>> net.inet.ip.fw.curr_dyn_buckets: 256
>> net.inet.ip.fw.dyn_buckets: 10000
>> net.inet.ip.fw.default_rule: 65535
>> net.inet.ip.fw.verbose_limit: 0
>> net.inet.ip.fw.verbose: 1
>> net.inet.ip.fw.debug: 0
>> net.inet.ip.fw.one_pass: 1
>> net.inet.ip.fw.autoinc_step: 100
>> net.inet.ip.fw.enable: 1
>> net.link.ether.ipfw: 1
>> net.link.bridge.ipfw: 0
>> net.link.bridge.ipfw_arp: 0
>>
>> Thanks,
>>
>> Daniel
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>     
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-net mailing list