userspace version of ipfw kernel module
Luigi Rizzo
rizzo at iet.unipi.it
Fri Mar 2 19:03:09 UTC 2012
I have written some glue code that lets you build a userspace version
of the kernel-side of ipfw (and dummynet), for the following purposes:
1. performance testing. You can run the ipfw_chk() code in a tight loop
and actually measure its runtime, instead of being dependent
on input traffic and device drivers and other overheads
2. (eventually) build userspace versions of the firewall on top of
netmap or other accelerated I/O frameworks.
The tarball is at
http://info.iet.unipi.it/~luigi/netmap/20120302-ipfw-user.tgz
The client side (ipfw/ipfw) talks to the former-kernel side (dummynet/ipfw)
via a tcp socket (localhost:5555) so you can inject rules etc.
To start a fake infinite traffic source do a
telnet localhost 5556
and press some chars before aborting the connection
Then you can still check how fast the filter processes rules
by runinng something like this
sh -c "while true; ipfw/ipfw show; ipfw/ipfw zero; sleep 1; done"
I believe a similar approach could be useful for 'pf' too.
And the glue code is probably easy to recycle -- in the tarball,
sbin/ipfw and sys/netinet/ipfw are identical (except perhaps
for a few lines) to the version in head.
enjoy
luigi
More information about the freebsd-net
mailing list