From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 00:00:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DBD516A4CE for ; Mon, 10 Nov 2003 00:00:55 -0800 (PST) Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.13]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A99543F3F for ; Mon, 10 Nov 2003 00:00:53 -0800 (PST) (envelope-from ac-lists@latnet.lv) Received: (qmail 19374 invoked by uid 64014); 10 Nov 2003 08:00:51 -0000 Received: from ac-lists@latnet.lv by mail by uid 64011 with qmail-scanner-1.16 (clamscan: 0.54. Clear:. Processed in 0.750409 secs); 10 Nov 2003 08:00:51 -0000 Received: from unknown (HELO artis) (159.148.107.1) by mail.latnet.lv with SMTP; 10 Nov 2003 08:00:50 -0000 From: "Artis Caune" To: "'Luigi Rizzo'" Date: Mon, 10 Nov 2003 09:59:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOkWsQR5BVxSiSNRvmpLbAFblGCpQArLJ0w In-Reply-To: <20031106033919.A65661@xorpc.icir.org> X-Qmail-Scanner-Message-ID: <106845125152619344@mail> Message-Id: <20031110080053.5A99543F3F@mx1.FreeBSD.org> cc: freebsd-ipfw@freebsd.org Subject: RE: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 08:00:55 -0000 "-Nq" speed up a little bit, thanks We need individual pipes for each client, because they are different organizations and pay different price for different speed pipes. (international traffic) We have /16 prefix ;) We use "or" blocks for organizations with more than one IP. So I belive our rules design is not ok, but we can do nothing about it! we use "skipto" to devide our /16 prefix in pieces: add 2 skipto 100 all from any to 159.148.0.0/24 add 2 skipto 200 all from any to 159.148.1.0/24 ... add 2 skipto N all from any to 159.148.255.0/24 This is just example, wee need more planning. pf can load 50000 rules in about 5-7sec. ipfw need about 25-35min to load 30000 rules. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Luigi Rizzo Sent: ceturtdiena, 2003. gada 6. novembri 13:39 To: Artis Caune Cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time most likely, because you are not using "-n", the printing code will use the nameserver to try and resolve addresses, and if halfway through you are limiting/blocking access to the nameserver you incur in timeouts. To tell the truth i suspect you have a quite poorly designed ruleset if you are adding individual rules and pipes for each client. Almost surely you should make use of masks in pipes, and address sets in rules, to reduce the size of your ruleset to something manageable and efficient. cheers luigi On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > Hello, > > We have about 10000-20000 pipes for > different subnets, and it takes very long > time to load them - about 10-15min. > > 92.8% interrupt, 0.0% idle > > strange that things slow down when count > reaches 2000-2500 rules. > > is there something we can do to speed things up? > > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! > > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall > > > > # FreeBSD-4.9, IPFW2, > # HZ=2000, DEVICE_POLLING, > # 1G RAM, 2.4xeon on Intel server board > > > > > > ..... > Artis > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"