how much memory does increasing max rules for IPFW take up?
Andrey V. Elsukov
bu7cher at yandex.ru
Fri May 16 04:33:18 UTC 2008
Bruce M. Simpson wrote:
> Got any figures for this? I took a quick glance and it looks like it
> just uses a hash over dst/src/dport/sport. If there are a lot of raw IP
> or ICMP flows then that's going to result in hash collisions.
It's my guess, i haven't any figures..
Yes, hash collisions will trigger many searching in buckets lists.
And increasing only dyn_max without increasing dyn_buckets will
grow collisions.
> It might be a good project for someone to optimize if it isn't scaling
> for folk. "Bloomier" filters are probably worth a look -- bloom filters
> are a class of probabilistic hash which may return a false positive,
> "bloomier" filters are a refinement which tries to limit the false
> positives.
There were some ideas from Vadim Goncharov about rewriting dynamic
rules implementation..
--
WBR, Andrey V. Elsukov
More information about the freebsd-ipfw
mailing list