Date: Thu, 16 Apr 2015 12:08:39 -0700 From: Jason Wolfe <nitroboost@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Julian Elischer <julian@freebsd.org>, hiren panchasara <hiren@strugglingcoder.info>, freebsd-ipfw@freebsd.org Subject: Re: ipfw on just inbound and not outbound Message-ID: <CAAAm0r0uZbbW5mVRVsOE-ooqqTDngM9Z2dMpECihoGR9=Tn=Vg@mail.gmail.com> In-Reply-To: <20150416164024.B93161@sola.nimnet.asn.au> References: <20150414210901.GA10620@strugglingcoder.info> <552F2F82.1060506@freebsd.org> <20150416164024.B93161@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian, It's not so much the induced latency, but the CPU usage. Simply invoking ipfw causes a noticeable amount of overhead, and with a single rule it clocks in at 5% on the hardware in question. This ranks ipfw_chk in as the 2nd hungriest function, just below tcp_output in the IRQ handler threads with a single rule. With 3 rules, it overtakes the top spot (each adding ~ .3% -.5%). If there were an easy way to gain back that 5% on outbound traffic, we'd gladly take it. It sounds like being able to disconnect paths from ipfw might be a science project for the future, though it does seem it could garner some wider interest. Jason On Thu, Apr 16, 2015 at 12:12 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote: > > On 4/15/15 5:09 AM, hiren panchasara wrote: > > > Apologies if this is something silly but I want to completely eliminate > > > ipfw from outgoing traffic perspective. I just want to have it on > > > incoming. I can always add "allow ip from any to any out" as the first > > > rule but that is still ipfw doing something. > > > > > > Is there a way to tell ipfw to not look at outbound traffic at all? > > no > > > > > > OR, the rule I mentioned is the best that can be done here? > > yes > > > > this touches on something I've been thinking of for a while.. per > > interface/direction rule sets. > > but that doesn't exist yet. > > > > you could write a kernel module that would disconnect the outgoing packet > > filter hooks > > but "hack" comes to mind as a description there. > > > > actually.... you could use the ipfw netgraph hook and only hook it up for > > incoming packets, > > but it would probably be not much more efficient than just having the rule, > > and more complicated to set up. > > I'm wondering if the cost of that one rule is even worth worrying about. > > Hiren, you might try running iperf (ono): > > a) after 'ipfw disable firewall' > > b) after just 'ipfw add 20000 allow ip from any to any' > > c) after say 1000 rules before getting to (b) by such as: > > for i in `jot - 0 999`; do > ipfw add $((i*10+1000)) count ip from any to any > done > > to then calculate a cost per rule. Tens or hundreds of ns? > > Of course, whether that cost is significant depends on the sort of pps > rates you're having (or hoping :) to deal with on the box in question .. > > > > cheers, > > > Hiren > > > > > > ps: Please keep me cc'd as I am not subscribed. > > cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAAm0r0uZbbW5mVRVsOE-ooqqTDngM9Z2dMpECihoGR9=Tn=Vg>