Date: Mon, 27 Apr 2009 13:09:07 -0300 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= <ddg@yan.com.br> To: Julian Elischer <julian@elischer.org> Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW MAX RULES COUNT PERFORMANCE Message-ID: <49F5D8A3.3050805@yan.com.br> In-Reply-To: <49F235F4.2030202@elischer.org> References: <49F06985.1000303@yan.com.br> <49F0A7DD.30206@elischer.org> <49F1DBAE.1080205@yan.com.br> <49F235F4.2030202@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian, You could give an example of rules with tables? Julian Elischer escreveu: > Daniel Dias Gonçalves wrote: >> Very good thinking, congratulations, but my need is another. >> The objective is a Captive Porrtal that each authentication is >> dynamically created a rule to ALLOW or COUNT IP authenticated, which >> I'm testing is what is the maximum capacity of rules supported, >> therefore simultaneous user. >> >> Understand ? >> > I think so. > > > do not add rules. > have a single rule that looks in a table > and add entries to the table when needed. > >> Thanks, >> >> Daniel >> >> Julian Elischer escreveu: >>> Daniel Dias Gonçalves wrote: >>>> Hi, >>>> >>>> My system is a FreeBSD 7.1R. >>>> When I add rules IPFW COUNT to 254 IPS from my network, one of my >>>> interfaces increases the latency, causing large delays in the >>>> network, when I delete COUNT rules, everything returns to normal, >>>> which can be ? >>>> >>>> My script: >>> >>> of course adding 512 rules, *all of which hav eto be evaluated* will >>> add latency. >>> >>> you have several ways to improve this situation. >>> >>> 1/ use a differnet tool. >>> By using the netgraph netflow module you can get >>> accunting information that may be more useful and less impactful. >>> >>> 2/ you could make your rules smarter.. >>> >>> use skipto rules to make the average packet traverse less rules.. >>> >>> off the top of my head.. (not tested..) >>> >>> Assuming you have machines 10.0.0.1-10.0.0.254.... >>> the rules below have an average packet traversing 19 rules and not >>> 256 for teh SYN packet and 2 rules for others.. >>> you may not be able to do the keep state trick if you use state for >>> other stuff but in that case worst case will still be 19 rules. >>> >>> 2 check-state >>> 5 skipto 10000 ip from not 10.0.0.0/24 to any >>> 10 skipto 2020 ip from not 10.0.0.0/25 to any # 0-128 >>> 20 skipto 1030 ip from not 10.0.0.0/26 to any # 0-64 >>> 30 skipto 240 ip from not 10.0.0.0/27 to any # 0-32 >>> 40 skipto 100 ip from not 10.0.0.0/28 to any # 0-16 >>> [16 count rules for 0-15] >>> 80 skipto 10000 ip from any to any >>> 100 [16 count rules for 16-31] keep-state >>> 140 skipto 10000 ip from any to any >>> 240 skipto 300 ip from not 10.0.0.32/28 >>> [16 rules for 32-47] keep-state >>> 280 skipto 10000 ip from any to any >>> 300 [16 count rules for 48-63] keep-state >>> 340 skipto 10000 ip from any to any >>> 1030 skipto 1240 ip from not 10.0.0.64/27 to any >>> 1040 skipto 1100 ip from not 10.0.0.64/28 to any >>> [16 count rules for 64-79] keep-state >>> 1080 skipto 10000 ip from any to any >>> 1100 [16 rules for 80-95] keep-state >>> 1140 skipto 10000 ip from any to any >>> 1240 skipto 1300 ip from not 10.0.0.96/28 to any >>> [16 count rules for 96-111] keep-state >>> 1280 skipto 10000 ip from any to any >>> 1300 [16 rules for 112-127] keep-state >>> 1340 skipto 10000 ip from any to any >>> 2020 skipto 3030 ip from not 10.0.0.128/26 to any >>> 2030 skipto 2240 ip from not 10.0.0.128/28 to any >>> [16 count rules for 128-143] keep-state >>> 2080 skipto 10000 ip from any to any >>> 2100 [16 rules for 144-159] keep-state >>> 2140 skipto 10000 ip from any to any >>> 2240 skipto 2300 ip from not 10.0.0.32/28 to any >>> [16 count rules for 160-175] keep-state >>> 2280 skipto 10000 ip from any to any >>> 2300 [16 count rules for 176-191] keep-state >>> 2340 skipto 10000 ip from any to any >>> 3030 skipto 3240 ip from not 10.0.0.192/27 to any >>> 3040 skipto 3100 ip from not 10.0.0.192/28 to any >>> [16 count rules for 192-207] keep-state >>> 3080 skipto 10000 ip from any to any >>> 3100 [16 rules for 208-223] keep-state >>> 3240 skipto 10000 ip from any to any >>> 3240 skipto 3300 ip from not 10.0.0.224/28 to any >>> [16 count rules for 224-239] keep-state >>> 3280 skipto 10000 ip from any to any >>> 3300 [16 count rules for 240-255] keep-state >>> 3340 skipto 10000 ip from any to any >>> >>> 10000 #other stuff >>> >>> in fact you could improve it further with: >>> 1/ either going down to a netmask of 29 (8 rules per set) >>> or >>> 2/ instead of having count rules make them skipto >>> so you would have: >>> 3300 skipto 10000 ip from 10.0.0.240 to any >>> 3301 skipto 10000 ip from 10.0.0.241 to any >>> 3302 skipto 10000 ip from 10.0.0.242 to any >>> 3303 skipto 10000 ip from 10.0.0.243 to any >>> 3304 skipto 10000 ip from 10.0.0.244 to any >>> 3305 skipto 10000 ip from 10.0.0.245 to any >>> 3306 skipto 10000 ip from 10.0.0.246 to any >>> 3307 skipto 10000 ip from 10.0.0.247 to any >>> 3308 skipto 10000 ip from 10.0.0.248 to any >>> 3309 skipto 10000 ip from 10.0.0.249 to any >>> 3310 skipto 10000 ip from 10.0.0.240 to any >>> 3311 skipto 10000 ip from 10.0.0.241 to any >>> 3312 skipto 10000 ip from 10.0.0.242 to any >>> 3313 skipto 10000 ip from 10.0.0.243 to any >>> 3314 skipto 10000 ip from 10.0.0.244 to any >>> 3315 skipto 10000 ip from 10.0.0.245 to any >>> >>> thus on average, a packet would traverse half the rules (8). >>> >>> 3/ both the above so on average they would traverse 4 rules plus >>> one extra skipto. >>> >>> you should be able to do the above in a script. >>> I'd love to see it.. >>> >>> (you can also do skipto tablearg in -current (maybe 7.2 too) >>> which may also be good.. (or not)) >>> >>> >>> julian >>> >>> >>> >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >>> >>> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F5D8A3.3050805>