Date: Mon, 27 Apr 2009 13:22:11 -0300 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= <ddg@yan.com.br> To: Adrian Chadd <adrian@freebsd.org> Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE Message-ID: <49F5DBB3.6030500@yan.com.br> In-Reply-To: <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com> References: <49F06985.1000303@yan.com.br> <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Going to another example.
If I wanted that each authentication (username and password) in captive
portal, set up rules limiting the speed of the user's IP, as I do? I can
create two rules for the in / out for each user associated with a pipe?
When simulating this with a script adding hundreds of rules, the latency
also increases, as resolve this ?
Adrian Chadd escreveu:
> You'd almost certainly be better off hacking up an extension to ipfw
> which lets you count a /24 in one rule.
>
> As in, the count rule would match on the subnet/netmask, have 256 32
> (or 64 bit) integers allocated to record traffic in, and then do an
> O(1) operation using the last octet of the v4 address to map it into
> this 256 slot array to update counters for.
>
> It'd require a little tool hackery to extend ipfw in userland/kernel
> space to do it but it would work and be (very almost) just as fast as
> a single rule.
>
> 2c,
>
>
>
> Adrian
>
> 2009/4/23 Daniel Dias Gonçalves <ddg@yan.com.br>:
>
>> Hi,
>>
>> My system is a FreeBSD 7.1R.
>> When I add rules IPFW COUNT to 254 IPS from my network, one of my interfaces
>> increases the latency, causing large delays in the network, when I delete
>> COUNT rules, everything returns to normal, which can be ?
>>
>> My script:
>>
>> ipcount.php
>> -- CUT --
>> <?
>> $c=0;
>> $a=50100;
>> for($x=0;$x<=0;$x++) {
>> for($y=1;$y<=254;$y++) {
>> $ip = "192.168.$x.$y";
>> system("/sbin/ipfw -q add $a count { tcp or udp } from any to
>> $ip/32");
>> system("/sbin/ipfw -q add $a count { tcp or udp } from $ip/32
>> to any");
>> #system("/sbin/ipfw delete $a");
>> $c++;
>> $a++;
>> }
>> }
>> echo "\n\nTotal: $c\n";
>> ?>
>> -- CUT --
>>
>> net.inet.ip.fw.dyn_keepalive: 1
>> net.inet.ip.fw.dyn_short_lifetime: 5
>> net.inet.ip.fw.dyn_udp_lifetime: 10
>> net.inet.ip.fw.dyn_rst_lifetime: 1
>> net.inet.ip.fw.dyn_fin_lifetime: 1
>> net.inet.ip.fw.dyn_syn_lifetime: 20
>> net.inet.ip.fw.dyn_ack_lifetime: 300
>> net.inet.ip.fw.static_count: 262
>> net.inet.ip.fw.dyn_max: 10000
>> net.inet.ip.fw.dyn_count: 0
>> net.inet.ip.fw.curr_dyn_buckets: 256
>> net.inet.ip.fw.dyn_buckets: 10000
>> net.inet.ip.fw.default_rule: 65535
>> net.inet.ip.fw.verbose_limit: 0
>> net.inet.ip.fw.verbose: 1
>> net.inet.ip.fw.debug: 0
>> net.inet.ip.fw.one_pass: 1
>> net.inet.ip.fw.autoinc_step: 100
>> net.inet.ip.fw.enable: 1
>> net.link.ether.ipfw: 1
>> net.link.bridge.ipfw: 0
>> net.link.bridge.ipfw_arp: 0
>>
>> Thanks,
>>
>> Daniel
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>
>>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F5DBB3.6030500>