IPFW MAX RULES COUNT PERFORMANCE

Julian Elischer julian at elischer.org
Tue Apr 28 06:52:01 UTC 2009 

Daniel Dias Gonçalves wrote:
> Julian,
> 
> You could give an example of rules with tables?

I'm sorry I forgot that you want to count packets from each client.
tables won't work for that.


for counting I suggest the technique I show below,
but for just allowing, you can add allowable addresses to
a table,
e.g. table 1 add 1.2.3.4

and test it with

allow ip from table (1) to any


> 
> Julian Elischer escreveu:
>> Daniel Dias Gonçalves wrote:
>>> Very good thinking, congratulations, but my need is another.
>>> The objective is a Captive Porrtal that each authentication is 
>>> dynamically created a rule to ALLOW or COUNT IP authenticated, which 
>>> I'm testing is what is the maximum capacity of rules supported, 
>>> therefore simultaneous user.
>>>
>>> Understand ?
>>>
>> I think so.
>>
>>
>> do not add rules.
>> have a single rule that looks in a table
>> and add entries to the table when needed.
>>
>>> Thanks,
>>>
>>> Daniel
>>>
>>> Julian Elischer escreveu:
>>>> Daniel Dias Gonçalves wrote:
>>>>> Hi,
>>>>>
>>>>> My system is a FreeBSD 7.1R.
>>>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my 
>>>>> interfaces increases the latency, causing large delays in the 
>>>>> network, when I delete COUNT rules, everything returns to normal, 
>>>>> which can be ?
>>>>>
>>>>> My script:
>>>>
>>>> of course adding 512 rules, *all of which hav eto be evaluated* will 
>>>> add latency.
>>>>
>>>> you have several ways to improve this situation.
>>>>
>>>> 1/ use a differnet tool.
>>>> By using the netgraph netflow module you can get
>>>> accunting information that may be more useful and less impactful.
>>>>
>>>> 2/ you could make your rules smarter..
>>>>
>>>> use skipto rules to make the average packet traverse less rules..
>>>>
>>>> off the top of my head.. (not tested..)
>>>>
>>>> Assuming you have machines 10.0.0.1-10.0.0.254....
>>>> the rules below have an average packet traversing 19 rules and not 
>>>> 256 for teh SYN packet and 2 rules for others..
>>>> you may not be able to do the keep state  trick if you use state for 
>>>> other stuff but in that case worst case will still be 19 rules.
>>>>
>>>> 2 check-state
>>>> 5 skipto 10000 ip from not 10.0.0.0/24 to any
>>>> 10 skipto 2020 ip from not 10.0.0.0/25 to any  # 0-128
>>>> 20 skipto 1030 ip from not 10.0.0.0/26 to any  # 0-64
>>>> 30 skipto 240 ip from not 10.0.0.0/27  to any  # 0-32
>>>> 40 skipto 100 ip from not 10.0.0.0/28  to any  # 0-16
>>>> [16 count rules for 0-15]
>>>> 80 skipto 10000 ip from any to any
>>>> 100 [16 count rules for 16-31] keep-state
>>>> 140 skipto 10000 ip from any to any
>>>> 240 skipto 300 ip from not 10.0.0.32/28
>>>>     [16 rules for 32-47] keep-state
>>>> 280 skipto 10000 ip from any to any
>>>> 300 [16 count rules for 48-63] keep-state
>>>> 340 skipto 10000 ip from any to any
>>>> 1030 skipto 1240 ip from not 10.0.0.64/27 to any
>>>> 1040 skipto 1100 ip from not 10.0.0.64/28 to any
>>>>    [16 count rules for 64-79] keep-state
>>>> 1080 skipto 10000 ip from any to any
>>>> 1100 [16 rules for 80-95] keep-state
>>>> 1140 skipto 10000 ip from any to any
>>>> 1240 skipto 1300 ip from not 10.0.0.96/28 to any
>>>>     [16 count rules for 96-111] keep-state
>>>> 1280 skipto 10000 ip from any to any
>>>> 1300 [16 rules for 112-127] keep-state
>>>> 1340 skipto 10000 ip from any to any
>>>> 2020 skipto 3030 ip from not 10.0.0.128/26 to any
>>>> 2030 skipto 2240 ip from not 10.0.0.128/28 to any
>>>>     [16 count rules for 128-143] keep-state
>>>> 2080 skipto 10000 ip from any to any
>>>> 2100 [16 rules for 144-159] keep-state
>>>> 2140 skipto 10000 ip from any to any
>>>> 2240 skipto 2300 ip from not 10.0.0.32/28 to any
>>>>     [16 count rules for 160-175] keep-state
>>>> 2280 skipto 10000 ip from any to any
>>>> 2300 [16 count rules for 176-191] keep-state
>>>> 2340 skipto 10000 ip from any to any
>>>> 3030 skipto 3240 ip from not 10.0.0.192/27 to any
>>>> 3040 skipto 3100 ip from not 10.0.0.192/28 to any
>>>>     [16 count rules for 192-207] keep-state
>>>> 3080 skipto 10000 ip from any to any
>>>> 3100 [16 rules for 208-223] keep-state
>>>> 3240 skipto 10000 ip from any to any
>>>> 3240 skipto 3300 ip from not 10.0.0.224/28 to any
>>>>     [16 count rules for 224-239] keep-state
>>>> 3280 skipto 10000 ip from any to any
>>>> 3300 [16 count rules for 240-255] keep-state
>>>> 3340 skipto 10000 ip from any to any
>>>>
>>>> 10000 #other stuff
>>>>
>>>> in fact you could improve it further with:
>>>> 1/ either going down to a netmask of 29 (8 rules per set)
>>>> or
>>>> 2/ instead of having count rules make them skipto
>>>> so you would have:
>>>> 3300 skipto 10000 ip from 10.0.0.240 to any
>>>> 3301 skipto 10000 ip from 10.0.0.241 to any
>>>> 3302 skipto 10000 ip from 10.0.0.242 to any
>>>> 3303 skipto 10000 ip from 10.0.0.243 to any
>>>> 3304 skipto 10000 ip from 10.0.0.244 to any
>>>> 3305 skipto 10000 ip from 10.0.0.245 to any
>>>> 3306 skipto 10000 ip from 10.0.0.246 to any
>>>> 3307 skipto 10000 ip from 10.0.0.247 to any
>>>> 3308 skipto 10000 ip from 10.0.0.248 to any
>>>> 3309 skipto 10000 ip from 10.0.0.249 to any
>>>> 3310 skipto 10000 ip from 10.0.0.240 to any
>>>> 3311 skipto 10000 ip from 10.0.0.241 to any
>>>> 3312 skipto 10000 ip from 10.0.0.242 to any
>>>> 3313 skipto 10000 ip from 10.0.0.243 to any
>>>> 3314 skipto 10000 ip from 10.0.0.244 to any
>>>> 3315 skipto 10000 ip from 10.0.0.245 to any
>>>>
>>>> thus on average, a packet would traverse half the rules (8).
>>>>
>>>> 3/ both the above  so on average they would traverse  4 rules plus 
>>>> one extra skipto.
>>>>
>>>> you should be  able to do the above in a script.
>>>> I'd love to see it..
>>>>
>>>> (you can also do skipto tablearg in -current (maybe 7.2 too)
>>>> which may also be good.. (or not))
>>>>
>>>>
>>>> julian
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> freebsd-net at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>>
>>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>

More information about the freebsd-net mailing list