ipfw performance and random musings.
Ian FREISLICH
if at hetzner.co.za
Thu Aug 24 12:32:07 UTC 2006
Ian FREISLICH wrote:
> Luigi Rizzo wrote:
> > On Wed, Aug 02, 2006 at 01:42:51PM +0200, Ian FREISLICH wrote:
> > > You're thinking somewhere on the lines of:
> > >
> > > skipto base hash-if <name pattern> from <number> to <number> delta <delta
> [offset <number>]
This is the syntax I've pretty much settled upon:
skipto 1000 ip from any to any ifhash vlan[1000-1264] offset -1000 delta 100
Which for matching interfaces calculates the skipto target as:
1000 + (iface# + offset) * delta
If you're happy with this format, I'll update the ipfw manual page
and submit a patch for review and commit.
I'm now getting ~440kpps forwarded at about 35% interrupt CPU utilisation.
I'm going to have a bash at giving ifconfig a new option so that
packets can be injected into the firewall at the right point. I
have something like the following in mind:
ifconfig em1 ipfw_rule 1000
foo% ifconfig em1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
ether 00:04:23:ce:ca:a0
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
ipfw_rule: 1000
I expect this to reduce interrupt CPU overhead to about 8% at ~440kpps.
Ian
--
Ian Freislich
More information about the freebsd-ipfw
mailing list