Re: Throughput extremely decreases when IPFW 7000 mac based rules activated

From: alfadev via freebsd-hackers <freebsd-hackers_at_FreeBSD.org>
Date: Tue, 10 Aug 2021 12:14:46 +0000
Thanks!

> ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets that have L2 header stripped already anyway
> ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, MAC-filter incoming only
> Also, your 11.2 version is quite old and you may need to upgrade to 11.4-STABLE at least to catch up with bugfixes and/or optimizations.
> Also, if you do filtering bridge, you should carefully read if_bridge(4) manual page,

* I have added skipto rule for layer3
* I have to add both in and out allow pipe rules for each MAC Address to assign bandwidth per MAC
* I also tried this configuration on FreeBSD 12.2 but no luck same problem occurs.
* I have no bridge configuration

> that ipfw is not right tool for this task at the moment.
* How can i overcome this problem without using IPFW?

Thanks for any help ..

Here is my configuration:
#################################################

ipfw -q -f flush

ipfw pipe 2 config bw 500000Kbit mask dst-ip 0xffffffff
ipfw pipe 1002 config bw 500000Kbit mask src-ip 0xffffffff

ipfw pipe 4 config bw 1024Kbit mask dst-ip 0xffffffff
ipfw pipe 1004 config bw 1024Kbit mask src-ip 0xffffffff


# Loopback allow
ipfw -q add 1 allow all from any to any out via lo0
ipfw -q add 2 allow all from any to any in via lo0

# WAN Allow
ipfw -q add 3 allow ip from any to any MAC any any via em0
ipfw -q add 4 allow ip from any to any via em0

# Layer2 em1 enable arp traffic
ipfw -q add 5 allow ip from any to any layer2 mac-type arp via em1
ipfw -q add 6 skipto 64000 all from any to any not layer2

# Layer2 blocked mac
ipfw -q add 1189 deny ip from any to any MAC 1c:cc:d6:42:5e:xx any via em1
ipfw -q add 2189 deny ip from any to any MAC any 1c:cc:d6:42:5e:xx via em1
ipfw -q add 1190 deny ip from any to any MAC 3c:dc:bc:ab:56:yy any via em1
ipfw -q add 2190 deny ip from any to any MAC any 3c:dc:bc:ab:56:yy via em1
ipfw -q add 1193 deny ip from any to any MAC 02:93:ca:4a:24:ab any via em1

ipfw -q add 5004 pipe 2 tag 1 ip from any to any MAC 78:67:d7:23:14:zz any via em1
ipfw -q add 5005 pipe 1002 tag 1 ip from any to any MAC any 78:67:d7:23:14:zz via em1
...
...
...
... sample added mac address allow and pipe rules
...
... TOTAL 2500-3000 mac address in and out allow pipe rules
...
...
ipfw -q add 12004 pipe 4 tag 1 ip from any to any MAC b8:37:e7:53:e4:qq any via em1
ipfw -q add 12005 pipe 1004 tag 1 ip from any to any MAC any b8:37:e7:53:e4:qq via em1


ipfw -q add 60000 allow ip from any to any MAC any any via em1

...
...  NOT tagged Mac address redirected block page
...

ipfw -q add 65534 allow all from any to any

#################################################

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Tuesday, August 10th, 2021 at 8:08 AM, Eugene Grosbein <eugen_at_grosbein.net> wrote:

> CC'ing more knowledgeable eyes that may have something to add.
>
> 09.08.2021 21:58, alfadev via freebsd-hackers wrote:
>
> > Hi, I have freebsd 11.2 server with IPFW firewall
> >
> > 870Mbits Fiber Net exist in my data center
> >
> > There are 7000 defined mac based rules on IPFW and 3000 of them active client . There is no problem before IPFW rules loading but when i load IPFW rules,
> >
> > throughput extremely decreases up to 80Mbits. There are not any error logs. I could not find what is the problem.
> >
> > Any help would be appreciated at this point.
>
> The search over ipfw rules is linear, so no wonder it decreases drastically when the list grows so big.
>
> Also, layer-2 frames and then layer-3 packets may pass over ipfw matching process upto four times\
>
> unless you carefully create your ruleset like this:
>
> ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets that have L2 header stripped already anyway
>
> ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, MAC-filter incoming only
>
> ipfw add 30 ... # start MAC-filtering here
>
> ...
>
> ipfw add 1000 ... # firewall part for layer3 packets
>
> Also, if you do filtering bridge, you should carefully read if_bridge(4) manual page,
>
> section PACKET FILTERING and disable extra passes over packet filters such as:
>
> sysctl net.link.bridge.pfil_member=0 # disable extra passes over ipfw ruleset for bridge members, filter the bridge itself only
>
> Such ruleset could decrease filtering overhead several times but I'm afraid
>
> that ipfw is not right tool for this task at the moment.
>
> ipfw has "tables" to optimize large list matching and they perform great but for layer3 IP matching, not for layer2 MAC matching.
>
> Also, your 11.2 version is quite old and you may need to upgrade to 11.4-STABLE at least to catch up with bugfixes and/or optimizations.
Received on Tue Aug 10 2021 - 12:14:46 UTC

Original text of this message