loading lot of rules takes very long time
'Luigi Rizzo'
rizzo at icir.org
Mon Nov 10 00:18:02 PST 2003
On Mon, Nov 10, 2003 at 09:59:29AM +0200, Artis Caune wrote:
> "-Nq" speed up a little bit, thanks
>
> We need individual pipes for each client,
> because they are different organizations
> and pay different price for different speed
> pipes. (international traffic) We have /16 prefix ;)
i understand that, what i meant is that i believe you only
have a handful (say S) of different speeds
and a handful (say L) of prefix lengths, so you could just
create 2*S*L pipes with masks and pass traffic for
the various clients to these pipes.
This would make your ruleset a lot more
efficient.
> we use "skipto" to devide our /16 prefix in pieces:
> add 2 skipto 100 all from any to 159.148.0.0/24
> add 2 skipto 200 all from any to 159.148.1.0/24
> ...
> add 2 skipto N all from any to 159.148.255.0/24
>
> This is just example, wee need more planning.
>
>
> pf can load 50000 rules in about 5-7sec.
> ipfw need about 25-35min to load 30000 rules.
hmm... i believe you should really follow the suggestion that
someone else posted and use the
ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname
command format to load all rules at once.
cheers
luigi
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-ipfw at freebsd.org [mailto:owner-freebsd-ipfw at freebsd.org]
> On Behalf Of Luigi Rizzo
> Sent: ceturtdiena, 2003. gada 6. novembri 13:39
> To: Artis Caune
> Cc: freebsd-ipfw at freebsd.org
> Subject: Re: loading lot of rules takes very long time
>
> most likely, because you are not using "-n", the printing
> code will use the nameserver to try and resolve addresses, and
> if halfway through you are limiting/blocking access to the
> nameserver you incur in timeouts.
>
> To tell the truth i suspect you have a quite poorly designed
> ruleset if you are adding individual rules and pipes for each
> client. Almost surely you should make use of masks in pipes,
> and address sets in rules, to reduce the size of your ruleset
> to something manageable and efficient.
>
> cheers
> luigi
>
>
> On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote:
> > Hello,
> >
> > We have about 10000-20000 pipes for
> > different subnets, and it takes very long
> > time to load them - about 10-15min.
> >
> > 92.8% interrupt, 0.0% idle
> >
> > strange that things slow down when count
> > reaches 2000-2500 rules.
> >
> > is there something we can do to speed things up?
> >
> > rules are added like:
> > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0
> > ipfw pipe 1 config bw 30Kbytes/s queue 10
> > ...
> > soo 'ipfw' is invoked '2 x client_count' !!!
> >
> > maybe ipfw need feature like:
> > ipfw -f /etc/rc.firewall
> >
> >
> >
> > # FreeBSD-4.9, IPFW2,
> > # HZ=2000, DEVICE_POLLING,
> > # 1G RAM, 2.4xeon on Intel server board
> >
> >
> >
> >
> >
> > .....
> > Artis
> >
> >
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list