Re: Throughput extremely decreases when IPFW 7000 mac based rules activated

From: Eugene Grosbein <eugen_at_grosbein.net>
Date: Tue, 10 Aug 2021 05:08:15 UTC
CC'ing more knowledgeable eyes that may have something to add.

09.08.2021 21:58, alfadev via freebsd-hackers wrote:

> Hi, I have freebsd 11.2 server with IPFW firewall
> 
> 870Mbits Fiber Net exist in my data center
> 
> There are 7000 defined mac based rules on IPFW and 3000 of them active client . There is no problem before IPFW rules loading but when i load IPFW rules,
> 
> throughput extremely decreases up to 80Mbits. There are not any error logs. I could not find what is the problem.
> 
> Any help would be appreciated at this point.

The search over ipfw rules is linear, so no wonder it decreases drastically when the list grows so big.
Also, layer-2 frames and then layer-3 packets may pass over ipfw matching process upto four times\
unless you carefully create your ruleset like this:

ipfw add 10 skipto 1000 not layer2 # do not MAC-filter layer3 packets that have L2 header stripped already anyway
ipfw add 20 allow out # do not MAC-filter packets leaving the firewall, MAC-filter incoming only
ipfw add 30 ... # start MAC-filtering here
...

ipfw add 1000 ... # firewall part for layer3 packets

Also, if you do filtering bridge, you should carefully read if_bridge(4) manual page,
section PACKET FILTERING and disable extra passes over packet filters such as:

sysctl net.link.bridge.pfil_member=0 # disable extra passes over ipfw ruleset for bridge members, filter the bridge itself only


Such ruleset could decrease filtering overhead several times but I'm afraid
that ipfw is not right tool for this task at the moment.

ipfw has "tables" to optimize large list matching and they perform great but for layer3 IP matching, not for layer2 MAC matching.

Also, your 11.2 version is quite old and you may need to upgrade to 11.4-STABLE at least to catch up with bugfixes and/or optimizations.