ipfw performance and random musings.
Ian FREISLICH
if at hetzner.co.za
Wed Aug 2 11:42:54 UTC 2006
Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> ...
> > things. I can also give the ifp->if_index cache a go. Since I
> > need to virualise the firewall, I need a set of rules for each
> > interface. I can't think of another way of sharing the firewall
> > beween a few hundred customers than by doing this:
>
> that's too heavyweight, perhaps you need to implement a
> new microinstruction to hash the interface name and do an indirect
> jump to the right target. Although the syntax can be tricky, something
> like
> hash-if name:base:delta[,name:base:delta]
>
> where name is the basename of the interface (e.g. vlan)
> so that packets from interface fooX would jump to base+X*delta
So, this will get performance to approach 120kpps, that will still
need to do a linear search of the rule set to find the next rule,
which I see I have to do anyway. For some reason I thought skipto
used a pointer to the next rule.
You're thinking somewhere on the lines of:
skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>]
so
skipto 1000 hash-if vlan from 1 to 500 delta 100
will match vlan1 to vlan500 and skipto:
vlan1 rule 1100
...
vlan500 rule 51000
and
skipto 1000 hash-if vlan from 1000 to 1500 delta 100 offset -100000
will match vlan1000 to vlan1500 and skipto:
vlan1000 rule 1000
...
vlan1500 rule 51000
I'll see if I can figure out how to do this.
Ian
--
Ian Freislich
More information about the freebsd-ipfw
mailing list