PREVIEW - netmap-enabled ipfw

Luigi Rizzo rizzo at
Wed Jul 25 18:21:07 UTC 2012

First and foremost: this is just a preview, only usable for testing now,
but very very close to working.

At the above URL you can find a userspace version of ipfw that reads
packet from a netmap-compatible port (i.e. a netmap supported interface,
or a port on a VALE bridge), and processes them through ipfw.
It builds and run on both linux and FreeBSD, and uses the ipfw sources
from today's HEAD.

Right now the output is thrown away, but very shortly the code will
also send it to an output port.

The way it works is very simple (see also the picture below,
drawn with )

The formerly-kernel-side part of the firewall now runs in a userspace
process (kipfw) and is controlled by a slightly modified ipfw that
routes the sockopt commands over TCP to localhost:5555 (hardwired).
kipfw stores rules persistently, and also reads from a netmap port.

The configuration below shows how to use pkt-gen to test the performance
of the system: you need to load the VALE-enabled netmap module,
then in one terminal run "kipfw vale-test",
in another terminal use the ipfw that you just built to
add/delete/show stuff, and you can use netmap's pkt-gen to
generate traffic.

                                                  |            |
    +----------+          +----------------+      |            |
    |          | tcp/5555 |                |      |  pkt-gen   |
    | ipfw     +--------->|   kipfw        |      |            |
    |          |          |                |      |            |
    +----------+          +----------------+      +-----+------+
                                    ^                   |
                                    |                   |
                                    |                   |
                                    |                   v
                            |                                  |
                            |         VALE bridge              |
                            |                                  |

A quick test with a simple ruleset (4 rules, see below) shows a processing
speed of 9-10Mpps on one core. I think there is still room for a little
bit of improvement. Especially, we can now test the performance
impact of changes to the firewall code without the need for
complex hardware setups.

	> ipfw/ipfw show
	connected to
	00100 30628621 1408916566 count ip from any to any dst-ip
	00100        0          0 count ip from any to any dst-ip
	00100        0          0 count ip from any to any dst-ip
	65535 30628621 1408916566 allow ip from any to any


More information about the freebsd-net mailing list