From owner-freebsd-ipfw@FreeBSD.ORG  Mon Apr 27 16:24:22 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7B6C9106564A
	for <freebsd-ipfw@freebsd.org>; Mon, 27 Apr 2009 16:24:22 +0000 (UTC)
	(envelope-from ddg@yan.com.br)
Received: from mail.mastercabo.com.br (mail.mastercabo.com.br [189.91.0.40])
	by mx1.freebsd.org (Postfix) with SMTP id D01328FC14
	for <freebsd-ipfw@freebsd.org>; Mon, 27 Apr 2009 16:24:21 +0000 (UTC)
	(envelope-from ddg@yan.com.br)
Received: (qmail 93547 invoked by uid 1008); 27 Apr 2009 16:24:19 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5-unknown (2008-06-10) on srvmail3
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=4.8 tests=BAYES_00,RDNS_NONE
	autolearn=no version=3.2.5-unknown
Received: from unknown (HELO ?192.168.0.169?)
	(daniel@dgnetwork.com.br@189.91.0.65)
	by mail.mastercabo.com.br with SMTP; 27 Apr 2009 16:24:19 -0000
Message-ID: <49F5DBB3.6030500@yan.com.br>
Date: Mon, 27 Apr 2009 13:22:11 -0300
From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= <ddg@yan.com.br>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Adrian Chadd <adrian@freebsd.org>
References: <49F06985.1000303@yan.com.br>
	<d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com>
In-Reply-To: <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org
Subject: Re: IPFW MAX RULES COUNT PERFORMANCE
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ddg@yan.com.br
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2009 16:24:22 -0000

Going to another example.
If I wanted that each authentication (username and password) in captive 
portal, set up rules limiting the speed of the user's IP, as I do? I can 
create two rules for the in / out for each user associated with a pipe? 
When simulating this with a script adding hundreds of rules, the latency 
also increases, as resolve this ?

Adrian Chadd escreveu:
> You'd almost certainly be better off hacking up an extension to ipfw
> which lets you count a /24 in one rule.
>
> As in, the count rule would match on the subnet/netmask, have 256 32
> (or 64 bit) integers allocated to record traffic in, and then do an
> O(1) operation using the last octet of the v4 address to map it into
> this 256 slot array to update counters for.
>
> It'd require a little tool hackery to extend ipfw in userland/kernel
> space to do it but it would work and be (very almost) just as fast as
> a single rule.
>
> 2c,
>
>
>
> Adrian
>
> 2009/4/23 Daniel Dias Gonçalves <ddg@yan.com.br>:
>   
>> Hi,
>>
>> My system is a FreeBSD 7.1R.
>> When I add rules IPFW COUNT to 254 IPS from my network, one of my interfaces
>> increases the latency, causing large delays in the network, when I delete
>> COUNT rules, everything returns to normal, which can be ?
>>
>> My script:
>>
>> ipcount.php
>> -- CUT --
>> <?
>> $c=0;
>> $a=50100;
>> for($x=0;$x<=0;$x++) {
>>       for($y=1;$y<=254;$y++) {
>>               $ip = "192.168.$x.$y";
>>               system("/sbin/ipfw -q add $a count { tcp or udp } from any to
>> $ip/32");
>>               system("/sbin/ipfw -q add $a count { tcp or udp } from $ip/32
>> to any");
>>               #system("/sbin/ipfw delete $a");
>>               $c++;
>>               $a++;
>>       }
>> }
>> echo "\n\nTotal: $c\n";
>> ?>
>> -- CUT --
>>
>> net.inet.ip.fw.dyn_keepalive: 1
>> net.inet.ip.fw.dyn_short_lifetime: 5
>> net.inet.ip.fw.dyn_udp_lifetime: 10
>> net.inet.ip.fw.dyn_rst_lifetime: 1
>> net.inet.ip.fw.dyn_fin_lifetime: 1
>> net.inet.ip.fw.dyn_syn_lifetime: 20
>> net.inet.ip.fw.dyn_ack_lifetime: 300
>> net.inet.ip.fw.static_count: 262
>> net.inet.ip.fw.dyn_max: 10000
>> net.inet.ip.fw.dyn_count: 0
>> net.inet.ip.fw.curr_dyn_buckets: 256
>> net.inet.ip.fw.dyn_buckets: 10000
>> net.inet.ip.fw.default_rule: 65535
>> net.inet.ip.fw.verbose_limit: 0
>> net.inet.ip.fw.verbose: 1
>> net.inet.ip.fw.debug: 0
>> net.inet.ip.fw.one_pass: 1
>> net.inet.ip.fw.autoinc_step: 100
>> net.inet.ip.fw.enable: 1
>> net.link.ether.ipfw: 1
>> net.link.bridge.ipfw: 0
>> net.link.bridge.ipfw_arp: 0
>>
>> Thanks,
>>
>> Daniel
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>
>>     
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
>