loading lot of rules takes very long time
Artis Caune
ac-lists at latnet.lv
Mon Nov 10 00:00:55 PST 2003
"-Nq" speed up a little bit, thanks
We need individual pipes for each client,
because they are different organizations
and pay different price for different speed
pipes. (international traffic) We have /16 prefix ;)
We use "or" blocks for organizations with
more than one IP.
So I belive our rules design is not ok, but we can
do nothing about it!
we use "skipto" to devide our /16 prefix in pieces:
add 2 skipto 100 all from any to 159.148.0.0/24
add 2 skipto 200 all from any to 159.148.1.0/24
...
add 2 skipto N all from any to 159.148.255.0/24
This is just example, wee need more planning.
pf can load 50000 rules in about 5-7sec.
ipfw need about 25-35min to load 30000 rules.
-----Original Message-----
From: owner-freebsd-ipfw at freebsd.org [mailto:owner-freebsd-ipfw at freebsd.org]
On Behalf Of Luigi Rizzo
Sent: ceturtdiena, 2003. gada 6. novembri 13:39
To: Artis Caune
Cc: freebsd-ipfw at freebsd.org
Subject: Re: loading lot of rules takes very long time
most likely, because you are not using "-n", the printing
code will use the nameserver to try and resolve addresses, and
if halfway through you are limiting/blocking access to the
nameserver you incur in timeouts.
To tell the truth i suspect you have a quite poorly designed
ruleset if you are adding individual rules and pipes for each
client. Almost surely you should make use of masks in pipes,
and address sets in rules, to reduce the size of your ruleset
to something manageable and efficient.
cheers
luigi
On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote:
> Hello,
>
> We have about 10000-20000 pipes for
> different subnets, and it takes very long
> time to load them - about 10-15min.
>
> 92.8% interrupt, 0.0% idle
>
> strange that things slow down when count
> reaches 2000-2500 rules.
>
> is there something we can do to speed things up?
>
> rules are added like:
> ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0
> ipfw pipe 1 config bw 30Kbytes/s queue 10
> ...
> soo 'ipfw' is invoked '2 x client_count' !!!
>
> maybe ipfw need feature like:
> ipfw -f /etc/rc.firewall
>
>
>
> # FreeBSD-4.9, IPFW2,
> # HZ=2000, DEVICE_POLLING,
> # 1G RAM, 2.4xeon on Intel server board
>
>
>
>
>
> .....
> Artis
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list