Date: Fri, 7 Jan 2000 14:08:47 -0500 From: "Patrick Bihan-Faou" <patrick@mindstep.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: "Luigi Rizzo" <luigi@info.iet.unipi.it>, <freebsd-current@FreeBSD.ORG> Subject: Re: ipfw optimizations Message-ID: <007d01bf5942$a0216540$c80aa8c0@local.mindstep.com> References: <200001071820.KAA11875@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> > One of the things I would do to optimize ipfw is:
> > - instead of keeping one list with all the rules, split the list (the
> > internal one) by interface and by direction (one list for ed1
incoming,
> > one list for ed1 outgoing, etc.).
>
> I often do this manually in long rule sets by using things like
>
> ipfw add 1000 skipto 10000 from any to any via de0
> ipfw add 1001 skipto 20000 from any to any via de1
> ...
> ipfw add 10000 skipto 15000 from any to any in via de0
> #process outbound on de0 rules here
> ipfw add 15000 blah blah # processing inbound on de0 rules here
[...]
> Anotherwords, don't burden the ipfw with code that can easily be done
> by an intellegent user, and some more examples/documentation...
Yep, and there happens to be a rule that you would like to be tested in
every case, but you don't want to test it at the begining (before the
switch) but sometime in the middle. With your scheme (which is the only
reasonable one currently), you have to duplicate that rule for every branch.
This is fine, but if now you need to modify the rule somewhat, don't forget
to modify it everywhere. This can rapidly become a maintenance nightmare.
What I was proposing is that the per-interface switch be done implicitely by
ipfw. So if you do:
ipfw add allow ip from joe to bob via de0
ipfw add allow ip from arthur to joe in recv de0
ipfw add allow ip from john to any
You get the proper rule tree generated:
-> ed0 RX:
allow ip from joe to bob
allow ip from arhur to joe
allow ip from john to any
-> ed0 TX:
allow ip from joe to bob
allow ip from john to any
-> ed1 (TX or RX)
allow ip from john to any
By the way, in terms of optimization you will save:
- 2 * number of interfaces rules (the skiptos) that have to be tested for
most
packets
- 2 tests for each rule after (you don't need to retest the interface nor
the direction, it has been.
If you go further in that logic and implement a per protocol switch, you
reduce the number of test even more.
To answer a previous question about the number of interfaces, I use FreeBSD
as a gateway with 2 ethernet interfaces and 3 tunnel interfaces (ipsec) to
remote locations. I guess that most cases where you really worry about ipfw
is in gateways where a minimum of 2 interfaces seems reasonable.
Again, I am not saying that you can not implement a similar behaviour with
ipfw as it is now, I am just saying that if you want to optimize it, you
want to reduce the number of test you perform for each rule. What I am
proposing is one way of doing it (and as a side effect, it makes managing a
tree like set of rule easier).
Patrick.
matched already)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007d01bf5942$a0216540$c80aa8c0>