ipfw rule processing performances
Michael Sierchio
kudzu at tenebras.com
Wed Oct 26 03:53:04 UTC 2011
On Tue, Oct 25, 2011 at 6:43 PM, Julian Elischer <julian at freebsd.org> wrote:
> I find that the structure of teh ruleset has a huge affect on the cpu usage.
>
> for example I immediately split incoming and outgoing packets apart and send
> them to different groups of rules.
> I also have different groups of rules for internal and external rules.
> so my rulesets usually start with:
>
> skipto 1000 all from any to any in recv ${OUTSIDE_INTERFACE}
> skipto 2000 all from any to any in recv ${INSIDE_INTERFACE}
> skipto 3000 all from any to any out xmit ${OUTSIDE_INTERFACE}
> skipto 4000 all from any to any out xmit ${INSIDE_INTERFACE}
> allow all from any to any via lo0
> drop all from any to any
>
> I also try use tables whenever possible.
I've found the same to be true, and use a scheme similar to what
Julian describes - I have rules grouped based on interface and
direction. Having larger tables and fewer table lookups is faster, in
my experience - such that I have a big block list (~20,000 nets) and a
small whitelist (~20 nets) ...
- M
More information about the freebsd-ipfw
mailing list