From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 00:18:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E70216A4CE for ; Mon, 10 Nov 2003 00:18:02 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F9B043FB1 for ; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hAA8I1Fw068785; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hAA8I1fc068784; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo) Date: Mon, 10 Nov 2003 00:18:01 -0800 From: "'Luigi Rizzo'" To: Artis Caune Message-ID: <20031110001801.A67328@xorpc.icir.org> References: <20031106033919.A65661@xorpc.icir.org> <20031110080053.5A99543F3F@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031110080053.5A99543F3F@mx1.FreeBSD.org>; from ac-lists@latnet.lv on Mon, Nov 10, 2003 at 09:59:29AM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 08:18:02 -0000 On Mon, Nov 10, 2003 at 09:59:29AM +0200, Artis Caune wrote: > "-Nq" speed up a little bit, thanks > > We need individual pipes for each client, > because they are different organizations > and pay different price for different speed > pipes. (international traffic) We have /16 prefix ;) i understand that, what i meant is that i believe you only have a handful (say S) of different speeds and a handful (say L) of prefix lengths, so you could just create 2*S*L pipes with masks and pass traffic for the various clients to these pipes. This would make your ruleset a lot more efficient. > we use "skipto" to devide our /16 prefix in pieces: > add 2 skipto 100 all from any to 159.148.0.0/24 > add 2 skipto 200 all from any to 159.148.1.0/24 > ... > add 2 skipto N all from any to 159.148.255.0/24 > > This is just example, wee need more planning. > > > pf can load 50000 rules in about 5-7sec. > ipfw need about 25-35min to load 30000 rules. hmm... i believe you should really follow the suggestion that someone else posted and use the ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname command format to load all rules at once. cheers luigi > > > > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Luigi Rizzo > Sent: ceturtdiena, 2003. gada 6. novembri 13:39 > To: Artis Caune > Cc: freebsd-ipfw@freebsd.org > Subject: Re: loading lot of rules takes very long time > > most likely, because you are not using "-n", the printing > code will use the nameserver to try and resolve addresses, and > if halfway through you are limiting/blocking access to the > nameserver you incur in timeouts. > > To tell the truth i suspect you have a quite poorly designed > ruleset if you are adding individual rules and pipes for each > client. Almost surely you should make use of masks in pipes, > and address sets in rules, to reduce the size of your ruleset > to something manageable and efficient. > > cheers > luigi > > > On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > > Hello, > > > > We have about 10000-20000 pipes for > > different subnets, and it takes very long > > time to load them - about 10-15min. > > > > 92.8% interrupt, 0.0% idle > > > > strange that things slow down when count > > reaches 2000-2500 rules. > > > > is there something we can do to speed things up? > > > > rules are added like: > > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > > ipfw pipe 1 config bw 30Kbytes/s queue 10 > > ... > > soo 'ipfw' is invoked '2 x client_count' !!! > > > > maybe ipfw need feature like: > > ipfw -f /etc/rc.firewall > > > > > > > > # FreeBSD-4.9, IPFW2, > > # HZ=2000, DEVICE_POLLING, > > # 1G RAM, 2.4xeon on Intel server board > > > > > > > > > > > > ..... > > Artis > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"