ipfw rule processing performances

Julian Elischer julian at freebsd.org
Fri Oct 28 05:04:27 UTC 2011 

On 10/26/11 8:53 PM, Ian Smith wrote:
> On Wed, 26 Oct 2011, Julian Elischer wrote:
>   >  On 10/26/11 2:39 PM, Michael Sierchio wrote:
>   >  >  On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischer<julian at freebsd.org>
>   >  >  wrote:
>   >  >
>   >  >  >  read up on all the things you can do with tablearg.. sometimes a single
>   >  >  >  table can replace dozens of rules.
>   >  >  Julian - would you be so kind as to give an example?
>   >  >
>   >  >  - M
>   >  >
>   >  off the top of my head:
>   >
>   >  implement an ad-hoc RErouting table using   fwd  tablearg
>   >  implement entirely differnt rules for a complicated set of subnets using
>   >  skipto tablearg
>
> But in this context, isn't skipto tablearg time-expensive, in that it
> can't use the cached target of a normal skipto, but must to walk the
> ruleset from the skipto to the resulting rule each time?

not necessarily

if you have the destinations being normal skiptos following the selection
rule, you might select from one of
a small number of destination skiptos (which are cached) for an 
arbitrarily
large set client addresses, with a single table lookup.

the time to walk a small number of rules is small..

>   >  arbitrarily slow down all the traffic from everyone you don't like in the
>   >  company using "lookup" and queue.
>   >
>   >  from the man page:
>   >
>   >        The tablearg argument can be used with the following
>   >       actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto
>   >       action parameters: tag, untag, rule options: limit, tagged.
>   >
>   >  and...
>   >
>   >            # addresses we don't want to be seeing coming from outside..
>   >          ${fwcmd} table 1 add 10.0.0.0/8
>   >          ${fwcmd} table 1 add 172.16.0.0/12
>   >          ${fwcmd} table 1 add 192.168.0.0/16
>   >           # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
>   >           # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class
>   >  D),
>   >           # and class E) on the outside interface
>   >          ${fwcmd} table 1 add 0.0.0.0/8
>   >          ${fwcmd} table 1 add 169.254.0.0/16
>   >          ${fwcmd} table 1 add 192.0.2.0/24
>   >          ${fwcmd} table 1 add 224.0.0.0/4
>   >          ${fwcmd} table 1 add 240.0.0.0/4
>
> Indeed, I was entirely bemused by the arguments against incorporating
> this into rc.firewall a year or two ago ..
>
> cheers, Ian
>

More information about the freebsd-ipfw mailing list