Date: Mon, 17 Jun 2002 15:34:08 -0700 From: "'Luigi Rizzo'" <rizzo@icir.org> To: ipfw@FreeBSD.ORG Subject: Re: third ipfw snapshot available Message-ID: <20020617153408.A38650@iguana.icir.org> In-Reply-To: <20020617095702.C36073@iguana.icir.org>; from rizzo@icir.org on Mon, Jun 17, 2002 at 09:57:02AM -0700 References: <20020613171319.D93980@iguana.icir.org> <20020617095702.C36073@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
ok, the port to -stable was easier than i thought. Patches against a recent -stable are at http://info.iet.unipi.it/~luigi/ipfw4.20020617.diff they modify the following files: sys/net/bridge.c sys/net/if_ethersubr.c sys/netinet/ip_dummynet.c sys/netinet/ip_dummynet.h sys/netinet/ip_fw.c sys/netinet/ip_fw.h sys/netinet/ip_input.c sys/netinet/ip_output.c sbin/ipfw/ipfw.c I also managed to run some very preliminary performance tests on a net4501 (133 MHz 486), with a simple program which generates short (64-byte on the wire) UDP packets as fast as it can to a remote host on a 10Mbit/s half-duplex link. I used the following sysctl variables: kern.polling.enable=1 kern.polling.user_frac=99 The ruleset was made of a variable number of rules: count ip from any to any [repeated N times] followed by the default rule allow ip from any to any This test is only meant to show how much overhead you save by generating rules which only perform the required actions as opposed to using the old rule structure. Packets-per-second/ipfw overhead in us #of "count" rules Standard IPFW New IPFW 0 4800 / n.a. 4830 / n.a 10 3800 / 55 4460 / 17 20 3240 / 100 4000 / 43 30 2840 / 144 3720 / 61 50 2310 / 224 3166 / 108 So, at least on this box, you cut the overhead in half. Of course if you try the same test with rules which exercise every possible match field and option in the rule, both times are going to go up, but I do not think the new ipfw will lose anything. cheers luigi On Mon, Jun 17, 2002 at 09:57:02AM -0700, 'Luigi Rizzo' wrote: > [Bcc to -net] > > A third snapshot of my rewrite of the ipfw code is available at > > http://info.iet.unipi.it/~luigi/ipfw5.20020617.tgz > > This code is for -current, and it implements all the existing > ipfw features with the exception of ipprecedence, iptos and icmptypes > (these will be added in the next snapshot). > > It also lets you put "not" and "or" connectives in front of almost any > field of an ipfw rule, so you can likely write more compact and > efficient rulesets. > > Being the work almost complete, I should be able to run performance > tests and produce a -stable version of this code shortly. > > I would be grateful if you could give this code a try and tell me > how it works for you on the rulesets you use (it is supposed to > be 100% compatible with the existing ipfw). You need to have > a version of -current after May 15th, replace > > sys/netinet/ip_fw.c > sys/netinet/ip_fw.h > sys/netinet/ip_dummynet.c > sbin/ipfw/ipfw.c > > with the files in the archive, rebuild a kernel and /sbin/ipfw. > > Both success and failure reports are welcome. > > cheers > luigi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020617153408.A38650>