Date: Tue, 1 Jun 2004 21:35:37 -0700 From: "Christian S.J. Peron" <csjp@freebsd.org> To: hackers@freebsd.org Cc: ipfw@freebsd.org Subject: ipfw cached ucred patch Message-ID: <20040602043537.GA42327@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
All, Currently, when you have any rules which contain UID/GID constraints, ipfw will lock the pcb hash and do a lookup to find the pcb associated with that packet -- One for each constraint. I have written a patch in attempt to minimize the impact of PCB related lookups for these type of firewall rules. This patch will have the following effects on firewalls which contain UID/GID constraints: o Greatly reduce the locking contention associated with PCB lookups. o Increase the performance of firewall in general by making PCB lookups O(1) rather than O(n) (where n represents number of UID/GID constraints in the ruleset) It would be greatly appriciated if people who are running ipfw rules sets containing UID/GID constraints tested this patch and reported any success or failures. The patch can be downloaded from: http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch NOTE: It also appears that ip_output passes a reference to the PCB. Perhaps we can hold a reference to the ucred stored in that entry and do away with lookups on outgoing packets all-together? -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040602043537.GA42327>