Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Apr 2009 13:09:07 -0300
From:      =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= <ddg@yan.com.br>
To:        Julian Elischer <julian@elischer.org>
Cc:        freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: IPFW MAX RULES COUNT PERFORMANCE
Message-ID:  <49F5D8A3.3050805@yan.com.br>
In-Reply-To: <49F235F4.2030202@elischer.org>
References:  <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org>	<49F1DBAE.1080205@yan.com.br> <49F235F4.2030202@elischer.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Julian,

You could give an example of rules with tables?

Julian Elischer escreveu:
> Daniel Dias Gonçalves wrote:
>> Very good thinking, congratulations, but my need is another.
>> The objective is a Captive Porrtal that each authentication is 
>> dynamically created a rule to ALLOW or COUNT IP authenticated, which 
>> I'm testing is what is the maximum capacity of rules supported, 
>> therefore simultaneous user.
>>
>> Understand ?
>>
> I think so.
>
>
> do not add rules.
> have a single rule that looks in a table
> and add entries to the table when needed.
>
>> Thanks,
>>
>> Daniel
>>
>> Julian Elischer escreveu:
>>> Daniel Dias Gonçalves wrote:
>>>> Hi,
>>>>
>>>> My system is a FreeBSD 7.1R.
>>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my 
>>>> interfaces increases the latency, causing large delays in the 
>>>> network, when I delete COUNT rules, everything returns to normal, 
>>>> which can be ?
>>>>
>>>> My script:
>>>
>>> of course adding 512 rules, *all of which hav eto be evaluated* will 
>>> add latency.
>>>
>>> you have several ways to improve this situation.
>>>
>>> 1/ use a differnet tool.
>>> By using the netgraph netflow module you can get
>>> accunting information that may be more useful and less impactful.
>>>
>>> 2/ you could make your rules smarter..
>>>
>>> use skipto rules to make the average packet traverse less rules..
>>>
>>> off the top of my head.. (not tested..)
>>>
>>> Assuming you have machines 10.0.0.1-10.0.0.254....
>>> the rules below have an average packet traversing 19 rules and not 
>>> 256 for teh SYN packet and 2 rules for others..
>>> you may not be able to do the keep state  trick if you use state for 
>>> other stuff but in that case worst case will still be 19 rules.
>>>
>>> 2 check-state
>>> 5 skipto 10000 ip from not 10.0.0.0/24 to any
>>> 10 skipto 2020 ip from not 10.0.0.0/25 to any  # 0-128
>>> 20 skipto 1030 ip from not 10.0.0.0/26 to any  # 0-64
>>> 30 skipto 240 ip from not 10.0.0.0/27  to any  # 0-32
>>> 40 skipto 100 ip from not 10.0.0.0/28  to any  # 0-16
>>> [16 count rules for 0-15]
>>> 80 skipto 10000 ip from any to any
>>> 100 [16 count rules for 16-31] keep-state
>>> 140 skipto 10000 ip from any to any
>>> 240 skipto 300 ip from not 10.0.0.32/28
>>>     [16 rules for 32-47] keep-state
>>> 280 skipto 10000 ip from any to any
>>> 300 [16 count rules for 48-63] keep-state
>>> 340 skipto 10000 ip from any to any
>>> 1030 skipto 1240 ip from not 10.0.0.64/27 to any
>>> 1040 skipto 1100 ip from not 10.0.0.64/28 to any
>>>    [16 count rules for 64-79] keep-state
>>> 1080 skipto 10000 ip from any to any
>>> 1100 [16 rules for 80-95] keep-state
>>> 1140 skipto 10000 ip from any to any
>>> 1240 skipto 1300 ip from not 10.0.0.96/28 to any
>>>     [16 count rules for 96-111] keep-state
>>> 1280 skipto 10000 ip from any to any
>>> 1300 [16 rules for 112-127] keep-state
>>> 1340 skipto 10000 ip from any to any
>>> 2020 skipto 3030 ip from not 10.0.0.128/26 to any
>>> 2030 skipto 2240 ip from not 10.0.0.128/28 to any
>>>     [16 count rules for 128-143] keep-state
>>> 2080 skipto 10000 ip from any to any
>>> 2100 [16 rules for 144-159] keep-state
>>> 2140 skipto 10000 ip from any to any
>>> 2240 skipto 2300 ip from not 10.0.0.32/28 to any
>>>     [16 count rules for 160-175] keep-state
>>> 2280 skipto 10000 ip from any to any
>>> 2300 [16 count rules for 176-191] keep-state
>>> 2340 skipto 10000 ip from any to any
>>> 3030 skipto 3240 ip from not 10.0.0.192/27 to any
>>> 3040 skipto 3100 ip from not 10.0.0.192/28 to any
>>>     [16 count rules for 192-207] keep-state
>>> 3080 skipto 10000 ip from any to any
>>> 3100 [16 rules for 208-223] keep-state
>>> 3240 skipto 10000 ip from any to any
>>> 3240 skipto 3300 ip from not 10.0.0.224/28 to any
>>>     [16 count rules for 224-239] keep-state
>>> 3280 skipto 10000 ip from any to any
>>> 3300 [16 count rules for 240-255] keep-state
>>> 3340 skipto 10000 ip from any to any
>>>
>>> 10000 #other stuff
>>>
>>> in fact you could improve it further with:
>>> 1/ either going down to a netmask of 29 (8 rules per set)
>>> or
>>> 2/ instead of having count rules make them skipto
>>> so you would have:
>>> 3300 skipto 10000 ip from 10.0.0.240 to any
>>> 3301 skipto 10000 ip from 10.0.0.241 to any
>>> 3302 skipto 10000 ip from 10.0.0.242 to any
>>> 3303 skipto 10000 ip from 10.0.0.243 to any
>>> 3304 skipto 10000 ip from 10.0.0.244 to any
>>> 3305 skipto 10000 ip from 10.0.0.245 to any
>>> 3306 skipto 10000 ip from 10.0.0.246 to any
>>> 3307 skipto 10000 ip from 10.0.0.247 to any
>>> 3308 skipto 10000 ip from 10.0.0.248 to any
>>> 3309 skipto 10000 ip from 10.0.0.249 to any
>>> 3310 skipto 10000 ip from 10.0.0.240 to any
>>> 3311 skipto 10000 ip from 10.0.0.241 to any
>>> 3312 skipto 10000 ip from 10.0.0.242 to any
>>> 3313 skipto 10000 ip from 10.0.0.243 to any
>>> 3314 skipto 10000 ip from 10.0.0.244 to any
>>> 3315 skipto 10000 ip from 10.0.0.245 to any
>>>
>>> thus on average, a packet would traverse half the rules (8).
>>>
>>> 3/ both the above  so on average they would traverse  4 rules plus 
>>> one extra skipto.
>>>
>>> you should be  able to do the above in a script.
>>> I'd love to see it..
>>>
>>> (you can also do skipto tablearg in -current (maybe 7.2 too)
>>> which may also be good.. (or not))
>>>
>>>
>>> julian
>>>
>>>
>>>
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>>
>>>
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?49F5D8A3.3050805>