IPFW2 tables Again

James haesu at towardex.com
Wed Aug 4 19:02:56 PDT 2004 

> 
> The question is: can I do it for about 200 users, and would that affect 
> the machine performance.
> Because the table will be checked many many times. Can you please advice 
> me ?

The table itself is a patricia trie. Which means the lookup of the nodes within
the table (i.e. all the IP's inside table(1)) is always O(32) constant lookup.

However, your problem is elsewhere. You have many potentially increasing number
of IPFW *RULES.* The ruleset (i.e. rule 00001 to 65535) is processed in a linked
list at rate of O(N) linear lookup. The more rules the firewall has to pass
the packet around = the slower the performance and more potential for added
latency. It was first a linear { x or y } brace blocks to compress the number
of vertical rules passed. But the { x or y } blocks are also processed in a
linear lookup which doesn't really improve any performance. Then now we have the
table lookup to improve the performance for rules compressed into a table rule.
Problem with your setup is that your rules aren't exactly compressed. Your setup
has the potential for increasing amount of rules which I am afraid are linear
lookup based.

Consider using skipto's and/or structure your IPFW rules using skipto's so
that it becomes more efficient/predictable.


It would be good to see a form of 'compiled ACL' for IPFW publicly available
(there are couple proprietary commercial modifications i am aware of) some
day :-D May be format it little similar to a TCAM table, where firewall matches 
dest|src prefix + mask based on a bit trie (i.e. patricia trie or multibit), 
then do hash lookup on values within the matching table (i.e. sourcd port/
dest port)? I am sure there are other and probably more efficient ways to do 
it too.

-J

--
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james at towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net

More information about the freebsd-ipfw mailing list