Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Apr 2009 01:06:45 +0800
From:      Adrian Chadd <adrian@freebsd.org>
To:        ddg@yan.com.br
Cc:        freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: IPFW MAX RULES COUNT PERFORMANCE
Message-ID:  <d763ac660904241006v3eca3e76p46534ec5a6561fb2@mail.gmail.com>
In-Reply-To: <49F06985.1000303@yan.com.br>
References:  <49F06985.1000303@yan.com.br>

next in thread | previous in thread | raw e-mail | index | archive | help
You'd almost certainly be better off hacking up an extension to ipfw
which lets you count a /24 in one rule.

As in, the count rule would match on the subnet/netmask, have 256 32
(or 64 bit) integers allocated to record traffic in, and then do an
O(1) operation using the last octet of the v4 address to map it into
this 256 slot array to update counters for.

It'd require a little tool hackery to extend ipfw in userland/kernel
space to do it but it would work and be (very almost) just as fast as
a single rule.

2c,



Adrian

2009/4/23 Daniel Dias Gon=E7alves <ddg@yan.com.br>:
> Hi,
>
> My system is a FreeBSD 7.1R.
> When I add rules IPFW COUNT to 254 IPS from my network, one of my interfa=
ces
> increases the latency, causing large delays in the network, when I delete
> COUNT rules, everything returns to normal, which can be ?
>
> My script:
>
> ipcount.php
> -- CUT --
> <?
> $c=3D0;
> $a=3D50100;
> for($x=3D0;$x<=3D0;$x++) {
> =A0 =A0 =A0 for($y=3D1;$y<=3D254;$y++) {
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $ip =3D "192.168.$x.$y";
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u=
dp } from any to
> $ip/32");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 system("/sbin/ipfw -q add $a count { tcp or u=
dp } from $ip/32
> to any");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 #system("/sbin/ipfw delete $a");
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $c++;
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 $a++;
> =A0 =A0 =A0 }
> }
> echo "\n\nTotal: $c\n";
> ?>
> -- CUT --
>
> net.inet.ip.fw.dyn_keepalive: 1
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.static_count: 262
> net.inet.ip.fw.dyn_max: 10000
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_buckets: 10000
> net.inet.ip.fw.default_rule: 65535
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.debug: 0
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.enable: 1
> net.link.ether.ipfw: 1
> net.link.bridge.ipfw: 0
> net.link.bridge.ipfw_arp: 0
>
> Thanks,
>
> Daniel
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d763ac660904241006v3eca3e76p46534ec5a6561fb2>