Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Aug 2019 02:34:00 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        Victor Gamov <vit@otcnet.ru>, freebsd-net@freebsd.org
Subject:   Re: finding optimal ipfw strategy
Message-ID:  <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net>
In-Reply-To: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
References:  <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
25.08.2019 1:13, Victor Gamov wrote:

> I have nonstandard network task for my FreeBSD box: 
> many VLANs bridged together via bridge interface and specific multicast traffic must be send
> from one VLAN to many (but not all) other VLANs.

It is quite standard filtering bridge :-)

> I use ipfw to block traffic on unwanted outgoing interfaces.
> 
> And my answer: which ipfw rules more optimal 1 or 2 (see 1 and 2 later) when I have about 100 incoming multicast and about 100 vlans?
> 
> 1
> =====
> ipfw table Mcast1_iface_out create type iface
> ipfw table Mcast1_iface_out add vlan20
> ipfw table Mcast1_iface_out add vlan30
> ipfw table Mcast1_iface_out add vlan40
> ipfw add 25000 allow udp from IP1 to mcast1 out via table(Mcast1_iface_out)

If you are concerned of performance, general rule applies: less checks, better performance.

First, use 'out xmit' instead of 'out via'. They are semantically equal and this is micro-optimization
but it still saves extra check unneeded when combined with "out" keyword.

Also, you should use old table numbers instead of new symbolic table names
when you have many rules checking for interface names and much traffic
because checks for numbered tables are slightly more efficient.
You may use symbolic names still at source level:

Mcast1_iface_out=1
ipfw table $Mcast1_iface_out create type iface

Also, use table arguments and not only table values, do not ignore their existence:

ipfw table $Mcast1_iface_out add vlan20 $mcast11
ipfw table $Mcast1_iface_out add vlan20 $mcast12
ipfw table $Mcast1_iface_out add vlan20 $mcast13
ipfw add 25000 allow udp from IP1 to tablearg out xmit "table($Mcast1_iface_out)"

Note there is one single checking ipfw rules for all used pairs ($Mcast1_iface_out, $mcastXX)
and this time it is not micro-optimization but very important one when you have plenty of mcastXX.

Both of your first and second rulesets are less efficient comparing this one using tableargs.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ff39c8f-341c-5d72-1b26-6558c57bff8d>