From owner-freebsd-ipfw@FreeBSD.ORG  Wed Aug  2 11:42:54 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 14B0516A4DD
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Aug 2006 11:42:54 +0000 (UTC)
	(envelope-from if@hetzner.co.za)
Received: from hetzner.co.za (office.dc2.cpt.your-server.co.za [196.7.147.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7C59543D4C
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Aug 2006 11:42:53 +0000 (GMT)
	(envelope-from if@hetzner.co.za)
Received: from localhost ([127.0.0.1] helo=ian.hetzner.africa)
	by hetzner.co.za with esmtp (Exim 4.62 (FreeBSD))
	(envelope-from <if@hetzner.co.za>)
	id 1G8F7j-000ICo-Pv; Wed, 02 Aug 2006 13:42:51 +0200
To: Luigi Rizzo <rizzo@icir.org>
From: Ian FREISLICH <if@hetzner.co.za>
In-Reply-To: Message from Luigi Rizzo <rizzo@icir.org> of "Wed,
	02 Aug 2006 03:37:59 MST." <20060802033759.A13393@xorpc.icir.org> 
X-Attribution: BOFH
Date: Wed, 02 Aug 2006 13:42:51 +0200
Message-Id: <E1G8F7j-000ICo-Pv@hetzner.co.za>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw performance and random musings. 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2006 11:42:54 -0000

Luigi Rizzo wrote:
> On Wed, Aug 02, 2006 at 12:27:39PM +0200, Ian FREISLICH wrote:
> ...
> > things.  I can also give the ifp->if_index cache a go.  Since I
> > need to virualise the firewall, I need a set of rules for each
> > interface.  I can't think of another way of sharing the firewall
> > beween a few hundred customers than by doing this:
> 
> that's too heavyweight, perhaps you need to implement a
> new microinstruction to hash the interface name and do an indirect
> jump to the right target. Although the syntax can be tricky, something
> like
> 	hash-if name:base:delta[,name:base:delta]
> 
> where name is the basename of the interface (e.g. vlan)
> so that packets from interface fooX would jump to base+X*delta

So, this will get performance to approach 120kpps, that will still
need to do a linear search of the rule set to find the next rule,
which I see I have to do anyway.  For some reason I thought skipto
used a pointer to the next rule.

You're thinking somewhere on the lines of:

skipto base hash-if <name pattern> from <number> to <number> delta <delta> [offset <number>]

so

skipto 1000 hash-if vlan from 1 to 500 delta 100

will match vlan1 to vlan500 and skipto:
vlan1 rule 1100
...
vlan500 rule 51000

and

skipto 1000 hash-if vlan from 1000 to 1500 delta 100 offset -100000
will match vlan1000 to vlan1500 and skipto:
vlan1000 rule 1000
...
vlan1500 rule 51000

I'll see if I can figure out how to do this.

Ian

--
Ian Freislich