From nobody Tue Aug 10 12:14:46 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5593D174EA22 for ; Tue, 10 Aug 2021 12:15:02 +0000 (UTC) (envelope-from alfadev@protonmail.com) Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GkX2Z0XGPz4T03 for ; Tue, 10 Aug 2021 12:14:59 +0000 (UTC) (envelope-from alfadev@protonmail.com) Date: Tue, 10 Aug 2021 12:14:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1628597689; bh=qmrMxTKwbO8N5aI2u068D2jQTGp3Gk8txVerrAwKdsE=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:From; b=T2V68NP8XMDWi1PKK2bfQtjIUhkaWZUw0STs2uw7DK7Qsy1jcmKYClQD4y2KLt9dz GC6RCYFxuf+0fPPEte94AfMj7l5irXJ11AsWEqMgMQgFCuNTK2G8JxjxSX/T8REm7r Wd/MDK5qX0R82Z9Tprj54lPqVCHZuzW7L7/PPadI= To: Eugene Grosbein , "freebsd-hackers@FreeBSD.org" , "frebsd-ipfw@FreeBSD.org" , "melifaro@freebsd.org" , "ae@FreeBSD.org" Reply-To: alfadev Subject: Re: Throughput extremely decreases when IPFW 7000 mac based rules activated Message-ID: In-Reply-To: <7a737f3d-e291-e8a1-b629-09365a99c937@grosbein.net> References: <7a737f3d-e291-e8a1-b629-09365a99c937@grosbein.net> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Rspamd-Queue-Id: 4GkX2Z0XGPz4T03 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Reply-To: alfadev@protonmail.com From: alfadev via freebsd-hackers X-Original-From: alfadev X-ThisMailContainsUnwantedMimeParts: N Thanks! > ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets tha= t have L2 header stripped already anyway > ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, M= AC-filter incoming only > Also, your 11.2 version is quite old and you may need to upgrade to 11.4-= STABLE at least to catch up with bugfixes and/or optimizations. > Also, if you do filtering bridge, you should carefully read if_bridge(4) = manual page, * I have added skipto rule for layer3 * I have to add both in and out allow pipe rules for each MAC Address to as= sign bandwidth per MAC * I also tried this configuration on FreeBSD 12.2 but no luck same problem = occurs. * I have no bridge configuration > that ipfw is not right tool for this task at the moment. * How can i overcome this problem without using IPFW? Thanks for any help .. Here is my configuration: ################################################# ipfw -q -f flush ipfw pipe 2 config bw 500000Kbit mask dst-ip 0xffffffff ipfw pipe 1002 config bw 500000Kbit mask src-ip 0xffffffff ipfw pipe 4 config bw 1024Kbit mask dst-ip 0xffffffff ipfw pipe 1004 config bw 1024Kbit mask src-ip 0xffffffff # Loopback allow ipfw -q add 1 allow all from any to any out via lo0 ipfw -q add 2 allow all from any to any in via lo0 # WAN Allow ipfw -q add 3 allow ip from any to any MAC any any via em0 ipfw -q add 4 allow ip from any to any via em0 # Layer2 em1 enable arp traffic ipfw -q add 5 allow ip from any to any layer2 mac-type arp via em1 ipfw -q add 6 skipto 64000 all from any to any not layer2 # Layer2 blocked mac ipfw -q add 1189 deny ip from any to any MAC 1c:cc:d6:42:5e:xx any via em1 ipfw -q add 2189 deny ip from any to any MAC any 1c:cc:d6:42:5e:xx via em1 ipfw -q add 1190 deny ip from any to any MAC 3c:dc:bc:ab:56:yy any via em1 ipfw -q add 2190 deny ip from any to any MAC any 3c:dc:bc:ab:56:yy via em1 ipfw -q add 1193 deny ip from any to any MAC 02:93:ca:4a:24:ab any via em1 ipfw -q add 5004 pipe 2 tag 1 ip from any to any MAC 78:67:d7:23:14:zz any = via em1 ipfw -q add 5005 pipe 1002 tag 1 ip from any to any MAC any 78:67:d7:23:14:= zz via em1 ... ... ... ... sample added mac address allow and pipe rules ... ... TOTAL 2500-3000 mac address in and out allow pipe rules ... ... ipfw -q add 12004 pipe 4 tag 1 ip from any to any MAC b8:37:e7:53:e4:qq any= via em1 ipfw -q add 12005 pipe 1004 tag 1 ip from any to any MAC any b8:37:e7:53:e4= :qq via em1 ipfw -q add 60000 allow ip from any to any MAC any any via em1 ... ... NOT tagged Mac address redirected block page ... ipfw -q add 65534 allow all from any to any ################################################# Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Tuesday, August 10th, 2021 at 8:08 AM, Eugene Grosbein wrote: > CC'ing more knowledgeable eyes that may have something to add. > > 09.08.2021 21:58, alfadev via freebsd-hackers wrote: > > > Hi, I have freebsd 11.2 server with IPFW firewall > > > > 870Mbits Fiber Net exist in my data center > > > > There are 7000 defined mac based rules on IPFW and 3000 of them active = client . There is no problem before IPFW rules loading but when i load IPFW= rules, > > > > throughput extremely decreases up to 80Mbits. There are not any error l= ogs. I could not find what is the problem. > > > > Any help would be appreciated at this point. > > The search over ipfw rules is linear, so no wonder it decreases drastical= ly when the list grows so big. > > Also, layer-2 frames and then layer-3 packets may pass over ipfw matching= process upto four times\ > > unless you carefully create your ruleset like this: > > ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets tha= t have L2 header stripped already anyway > > ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, M= AC-filter incoming only > > ipfw add 30 ... # start MAC-filtering here > > ... > > ipfw add 1000 ... # firewall part for layer3 packets > > Also, if you do filtering bridge, you should carefully read if_bridge(4) = manual page, > > section PACKET FILTERING and disable extra passes over packet filters suc= h as: > > sysctl net.link.bridge.pfil_member=3D0 # disable extra passes over ipfw r= uleset for bridge members, filter the bridge itself only > > Such ruleset could decrease filtering overhead several times but I'm afra= id > > that ipfw is not right tool for this task at the moment. > > ipfw has "tables" to optimize large list matching and they perform great = but for layer3 IP matching, not for layer2 MAC matching. > > Also, your 11.2 version is quite old and you may need to upgrade to 11.4-= STABLE at least to catch up with bugfixes and/or optimizations.