Date: Wed, 27 Apr 2016 16:21:49 -0300 From: =?UTF-8?Q?Z=C3=A9_Claudio_Pastore?= <zclaudio@bsd.com.br> To: freebsd-hackers@freebsd.org Subject: Best option to process packet ACL Message-ID: <CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello everyone, I would like to hear your suggestion regarding the best approach to process IP packets for filtering, in such a way I can avoid lowering my pps rate. Today a have a simple application proxies http application. It's dual threaded on a 4 core system with low CPU power. The current application uses two threads, one for control and one for data flow processing. I need to implement a simple set of stateless filtering, I will process only: - src-ip - dst-ip - src-port - dst-port - iplen - proto (tcp/udp/other) My current rate of requests per second is high, around 200K. I have no idea how I can leverage the IDLE CPUs the best way to implement this ACL filtering trying not to impact on the pps rate I have today. I have implemented it serial today (not threaded) and I get 40% performance loss. I will handle max 128 filter rules, this is a decision which is made. This is going to be first match wins. My current plans are to test: 1) Create 6 threads, one to test each aspect of the ACL (src-ip, dst-ip, etc) the first thread that returns false to parent thread I stop processing that rule and go to the next, and tell all other threads to die/exit since they don't matter anymore. 2) Create one thread to process a batch of rules, say, 8 rules per thread per request. Don't know if I would limit total number of threads and lock requests while threads ar e busy. 3) Someone suggested "do as pf/ipfw do" but I have no idea how it's done, how multithreaded it is and what is done on each thread. 4) Other suggestion? This is going to run FreeBSD 11, I use libevent2 on the current application so far. Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg>