Best option to process packet ACL

[Zé Claudio Pastore]

Hello everyone,

I would like to hear your suggestion regarding the best approach to process
IP packets for filtering, in such a way I can avoid lowering my pps rate.

Today a have a simple application proxies http application. It's dual
threaded on a 4 core system with low CPU power. The current application
uses two threads, one for control and one for data flow processing.

I need to implement a simple set of stateless filtering, I will process
only:

- src-ip
- dst-ip
- src-port
- dst-port
- iplen
- proto (tcp/udp/other)

My current rate of requests per second is high, around 200K. I have no idea
how I can leverage the IDLE CPUs the best way to implement this ACL
filtering trying not to impact on the pps rate I have today.

I have implemented it serial today (not threaded) and I get 40% performance
loss. I will handle max 128 filter rules, this is a decision which is made.
This is going to be first match wins.

My current plans are to test:

1) Create 6 threads, one to test each aspect of the ACL (src-ip, dst-ip,
etc) the first thread that returns false to parent thread I stop processing
that rule and go to the next, and tell all other threads to die/exit since
they don't matter anymore.

2) Create one thread to process a batch of rules, say, 8 rules per thread
per request. Don't know if I would limit total number of threads and lock
requests while threads ar e busy.

3) Someone suggested "do as pf/ipfw do" but I have no idea how it's done,
how multithreaded it is and what is done on each thread.

4) Other suggestion?

This is going to run FreeBSD 11, I use libevent2 on the current application
so far.

Thanks.