finding optimal ipfw strategy

Victor Gamov vit at otcnet.ru
Sat Aug 24 20:44:25 UTC 2019 

Eugene

Many thanks for your reply!

I need to read more about tablearg and then modify my current production 
rules step by step.

Thank you again!


On 24/08/2019 23:11, Eugene Grosbein wrote:
> 25.08.2019 2:34, Eugene Grosbein wrote:
> 
>> Also, use table arguments and not only table values, do not ignore their existence:
>>
>> ipfw table $Mcast1_iface_out add vlan20 $mcast11
>> ipfw table $Mcast1_iface_out add vlan20 $mcast12
>> ipfw table $Mcast1_iface_out add vlan20 $mcast13
>> ipfw add 25000 allow udp from IP1 to tablearg out xmit "table($Mcast1_iface_out)"
>>
>> Note there is one single checking ipfw rules for all used pairs ($Mcast1_iface_out, $mcastXX)
>> and this time it is not micro-optimization but very important one when you have plenty of mcastXX.
> 
> I have to correct myself: ipfw table cannot contain multiple values differing with arguments only,
> so we should rewrite commands this way: first table contains just list of used multicast destination IPs:
> 
> Mcast_addr_out=1
> ipfw table $Mcast_addr_out create type addr
> ipfw table $Mcast_addr_out add $mcast11 25012 # use range of rules 25012-49999
> ipfw table $Mcast_addr_out add $mcast12 25014 # increment rule number by 2
> ipfw table $Mcast_addr_out add $mcast13 25016
> 
> And you have multiple tables for list of interfaces, one table per multicast destination:
> 
> Mcast1_iface_out=2
> ipfw table $Mcast1_iface_out create type iface
> ipfw table $Mcast1_iface_out add vlan20
> ipfw table $Mcast1_iface_out add vlan22
> ipfw table $Mcast1_iface_out add vlan39
> 
> Then you start filtering by splitting traffic by destination IP that is most efficient:
> 
> ipfw add 25000 skipto tablearg from $IP1 to "table($Mcast_addr_out)"
> ipfw add 25010 deny udp from $your_multicast_range to any
> ipfw add 25011 skipto 50000 ip from any to any # past this set of checks
> 
> Only traffic destined for specific IP hits the rule checking for outgoing interface:
> 
> ipfw add 25012 allow udp from any to any out xmit "table($Mcast1_iface_out)"
> ipfw add 25013 deny udp from any to any
> 
> ipfw add 25014 allow udp from any to any out xmit "table($Mcast2_iface_out)"
> ipfw add 25015 deny udp from any to any
> 
> And so on.


-- 
CU,
Victor Gamov

More information about the freebsd-net mailing list