Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Nov 2003 00:18:01 -0800
From:      "'Luigi Rizzo'" <rizzo@icir.org>
To:        Artis Caune <ac-lists@latnet.lv>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: loading lot of rules takes very long time
Message-ID:  <20031110001801.A67328@xorpc.icir.org>
In-Reply-To: <20031110080053.5A99543F3F@mx1.FreeBSD.org>; from ac-lists@latnet.lv on Mon, Nov 10, 2003 at 09:59:29AM +0200
References:  <20031106033919.A65661@xorpc.icir.org> <20031110080053.5A99543F3F@mx1.FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, Nov 10, 2003 at 09:59:29AM +0200, Artis Caune wrote:
> "-Nq" speed up a little bit, thanks
> 
> We need individual pipes for each client,
> because they are different organizations
> and pay different price for different speed
> pipes. (international traffic) We have /16 prefix ;)

i understand that, what i meant is that i believe you only
have a handful (say S) of different speeds
and a handful (say L) of prefix lengths, so you could just
create 2*S*L pipes with masks and pass traffic for
the various clients to these pipes.
This would make your ruleset a lot more
efficient.

> we use "skipto" to devide our /16 prefix in pieces:
>   add 2 skipto 100 all from any to 159.148.0.0/24
>   add 2 skipto 200 all from any to 159.148.1.0/24
>   ...
>   add 2 skipto N all from any to 159.148.255.0/24
> 
> This is just example, wee need more planning.
> 
> 
> pf can load 50000 rules in about 5-7sec.
> ipfw need about 25-35min to load 30000 rules.

hmm... i believe you should  really follow the suggestion that
someone else posted and use the

 ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname

command format to load all rules at once.

	cheers
	luigi
> 
> 
> 
>  
> 
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]
> On Behalf Of Luigi Rizzo
> Sent: ceturtdiena, 2003. gada 6. novembri 13:39
> To: Artis Caune
> Cc: freebsd-ipfw@freebsd.org
> Subject: Re: loading lot of rules takes very long time
> 
> most likely, because you are not using "-n", the printing
> code will use the nameserver to try and resolve addresses, and
> if halfway through you are limiting/blocking access to the
> nameserver you incur in timeouts.
> 
> To tell the truth i suspect you have a quite poorly designed
> ruleset if you are adding individual rules and pipes for each
> client. Almost surely you should make use of masks in pipes,
> and address sets in rules, to reduce the size of your ruleset
> to something manageable and efficient.
> 
> 	cheers
> 	luigi
> 
> 
> On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote:
> > Hello,
> > 
> > We have about 10000-20000 pipes for
> > different subnets, and it takes very long
> > time to load them - about 10-15min.
> > 
> > 92.8% interrupt,  0.0% idle
> > 
> > strange that things slow down when count
> > reaches 2000-2500 rules.
> > 
> > is there something we can do to speed things up?
> > 
> > rules are added like:
> >   ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0
> >   ipfw pipe 1 config bw 30Kbytes/s queue 10
> >   ...
> > soo 'ipfw' is invoked '2 x client_count' !!!
> > 
> > maybe ipfw need feature like:
> > ipfw -f /etc/rc.firewall
> > 
> > 
> > 
> > # FreeBSD-4.9, IPFW2,
> > # HZ=2000, DEVICE_POLLING,
> > # 1G RAM, 2.4xeon on Intel server board
> > 
> > 
> > 
> > 
> > 
> > .....
> > Artis
> > 
> > 
> > _______________________________________________
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> 
> 
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20031110001801.A67328>