ipfw rule processing performances
Julian Elischer
julian at freebsd.org
Tue Oct 25 23:11:17 UTC 2011
On 10/25/11 8:36 AM, Karim wrote:
> Hi all,
>
> I am using ipfw with a fairly small amount of rules (~200). Most of
> those are skipto rules to different blocking and pass-through
> blocks. I use ipfw tags, ALTQ, nat, fwd and several deny and allow
> rules and I do not use/need tables.
>
> What I find is around 400Mbps of traffic (~40kpps) an extremely high
> amount of cpu usage related to firewall processing.
>
> What I would like to know is if there is an ongoing work to optimise
> ipfw and/or gather ideas on how to do that.
>
> I realise my question has a large scope but I am not interested in
> optimizing my ruleset I'd like to get a feel for how code wise the
> current processing could be optimized (using multiple input TX/RX
> queues for example, etc...).
>
> Thanks,
>
> Karim.
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
I find that the structure of teh ruleset has a huge affect on the cpu
usage.
for example I immediately split incoming and outgoing packets apart
and send them to different groups of rules.
I also have different groups of rules for internal and external rules.
so my rulesets usually start with:
skipto 1000 all from any to any in recv ${OUTSIDE_INTERFACE}
skipto 2000 all from any to any in recv ${INSIDE_INTERFACE}
skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE}
skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE}
allow all from any to any via lo0
drop all from any to any
I also try use tables whenever possible.
More information about the freebsd-ipfw
mailing list