Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Apr 2016 16:21:49 -0300
From:      =?UTF-8?Q?Z=C3=A9_Claudio_Pastore?= <zclaudio@bsd.com.br>
To:        freebsd-hackers@freebsd.org
Subject:   Best option to process packet ACL
Message-ID:  <CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello everyone,

I would like to hear your suggestion regarding the best approach to process
IP packets for filtering, in such a way I can avoid lowering my pps rate.

Today a have a simple application proxies http application. It's dual
threaded on a 4 core system with low CPU power. The current application
uses two threads, one for control and one for data flow processing.

I need to implement a simple set of stateless filtering, I will process
only:

- src-ip
- dst-ip
- src-port
- dst-port
- iplen
- proto (tcp/udp/other)

My current rate of requests per second is high, around 200K. I have no idea
how I can leverage the IDLE CPUs the best way to implement this ACL
filtering trying not to impact on the pps rate I have today.

I have implemented it serial today (not threaded) and I get 40% performance
loss. I will handle max 128 filter rules, this is a decision which is made.
This is going to be first match wins.

My current plans are to test:

1) Create 6 threads, one to test each aspect of the ACL (src-ip, dst-ip,
etc) the first thread that returns false to parent thread I stop processing
that rule and go to the next, and tell all other threads to die/exit since
they don't matter anymore.

2) Create one thread to process a batch of rules, say, 8 rules per thread
per request. Don't know if I would limit total number of threads and lock
requests while threads ar e busy.

3) Someone suggested "do as pf/ipfw do" but I have no idea how it's done,
how multithreaded it is and what is done on each thread.

4) Other suggestion?

This is going to run FreeBSD 11, I use libevent2 on the current application
so far.

Thanks.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg>