IPFW MAX RULES COUNT PERFORMANCE
Adrian Chadd
adrian at freebsd.org
Tue Apr 28 03:40:49 UTC 2009
You may want to investigate using pf; i'm not sure whether they handle
this better.
Me, I'd investigate writing a "tree" ipfw rule type. Ie, instead of
having a list of rules, all evaluated one at a time, I'd create a rule
implementing a subrule match on ip/netmask with some kind of action
(allow, deny, count, pipe, etc) rather than having it all be evaluated
O(n) style.
2c,
Adrian
2009/4/28 Daniel Dias Gonçalves <ddg at yan.com.br>:
> Going to another example.
> If I wanted that each authentication (username and password) in captive
> portal, set up rules limiting the speed of the user's IP, as I do? I can
> create two rules for the in / out for each user associated with a pipe? When
> simulating this with a script adding hundreds of rules, the latency also
> increases, as resolve this ?
>
> Adrian Chadd escreveu:
>>
>> You'd almost certainly be better off hacking up an extension to ipfw
>> which lets you count a /24 in one rule.
>>
>> As in, the count rule would match on the subnet/netmask, have 256 32
>> (or 64 bit) integers allocated to record traffic in, and then do an
>> O(1) operation using the last octet of the v4 address to map it into
>> this 256 slot array to update counters for.
>>
>> It'd require a little tool hackery to extend ipfw in userland/kernel
>> space to do it but it would work and be (very almost) just as fast as
>> a single rule.
>>
>> 2c,
>>
>>
>>
>> Adrian
>>
>> 2009/4/23 Daniel Dias Gonçalves <ddg at yan.com.br>:
>>
>>>
>>> Hi,
>>>
>>> My system is a FreeBSD 7.1R.
>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my
>>> interfaces
>>> increases the latency, causing large delays in the network, when I delete
>>> COUNT rules, everything returns to normal, which can be ?
>>>
>>> My script:
>>>
>>> ipcount.php
>>> -- CUT --
>>> <?
>>> $c=0;
>>> $a=50100;
>>> for($x=0;$x<=0;$x++) {
>>> for($y=1;$y<=254;$y++) {
>>> $ip = "192.168.$x.$y";
>>> system("/sbin/ipfw -q add $a count { tcp or udp } from any
>>> to
>>> $ip/32");
>>> system("/sbin/ipfw -q add $a count { tcp or udp } from
>>> $ip/32
>>> to any");
>>> #system("/sbin/ipfw delete $a");
>>> $c++;
>>> $a++;
>>> }
>>> }
>>> echo "\n\nTotal: $c\n";
>>> ?>
>>> -- CUT --
>>>
>>> net.inet.ip.fw.dyn_keepalive: 1
>>> net.inet.ip.fw.dyn_short_lifetime: 5
>>> net.inet.ip.fw.dyn_udp_lifetime: 10
>>> net.inet.ip.fw.dyn_rst_lifetime: 1
>>> net.inet.ip.fw.dyn_fin_lifetime: 1
>>> net.inet.ip.fw.dyn_syn_lifetime: 20
>>> net.inet.ip.fw.dyn_ack_lifetime: 300
>>> net.inet.ip.fw.static_count: 262
>>> net.inet.ip.fw.dyn_max: 10000
>>> net.inet.ip.fw.dyn_count: 0
>>> net.inet.ip.fw.curr_dyn_buckets: 256
>>> net.inet.ip.fw.dyn_buckets: 10000
>>> net.inet.ip.fw.default_rule: 65535
>>> net.inet.ip.fw.verbose_limit: 0
>>> net.inet.ip.fw.verbose: 1
>>> net.inet.ip.fw.debug: 0
>>> net.inet.ip.fw.one_pass: 1
>>> net.inet.ip.fw.autoinc_step: 100
>>> net.inet.ip.fw.enable: 1
>>> net.link.ether.ipfw: 1
>>> net.link.bridge.ipfw: 0
>>> net.link.bridge.ipfw_arp: 0
>>>
>>> Thanks,
>>>
>>> Daniel
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>
>>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list