Date: Wed, 02 Aug 2006 13:42:51 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw performance and random musings. Message-ID: <E1G8F7j-000ICo-Pv@hetzner.co.za> In-Reply-To: Message from Luigi Rizzo <rizzo@icir.org> of "Wed, 02 Aug 2006 03:37:59 MST." <20060802033759.A13393@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote: > ... > > things. I can also give the ifp->if_index cache a go. Since I > > need to virualise the firewall, I need a set of rules for each > > interface. I can't think of another way of sharing the firewall > > beween a few hundred customers than by doing this: > > that's too heavyweight, perhaps you need to implement a > new microinstruction to hash the interface name and do an indirect > jump to the right target. Although the syntax can be tricky, something > like > hash-if name:base:delta[,name:base:delta] > > where name is the basename of the interface (e.g. vlan) > so that packets from interface fooX would jump to base+X*delta So, this will get performance to approach 120kpps, that will still need to do a linear search of the rule set to find the next rule, which I see I have to do anyway. For some reason I thought skipto used a pointer to the next rule. You're thinking somewhere on the lines of: skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>] so skipto 1000 hash-if vlan from 1 to 500 delta 100 will match vlan1 to vlan500 and skipto: vlan1 rule 1100 ... vlan500 rule 51000 and skipto 1000 hash-if vlan from 1000 to 1500 delta 100 offset -100000 will match vlan1000 to vlan1500 and skipto: vlan1000 rule 1000 ... vlan1500 rule 51000 I'll see if I can figure out how to do this. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1G8F7j-000ICo-Pv>