Re: parallelizing ipfw table

• Previous message: Gleb Smirnoff: "Re: parallelizing ipfw table"
• In reply to: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Next in thread: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Reply: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Mon, 28 Nov 2005 13:42:41 +0300 (MSK)

> On Mon, Nov 28, 2005 at 08:27:32AM +0200, Ruslan Ermilov wrote:
> R> > Can you try my patch? Since it reduces the total number of mutex
> R> > operations it should be a win on UP, too.
> R> We're currently based on 4.x. You can try it yourself: create
> R> a table with 10000 entries and with value 13. Then write a
> R> ruleset with 13 rules that look up this table so that the last
> R> rule looks it up with value 13, and do a benchmark. Let me
> R> know what are results with and without caching.
> Such kind of firewall looks like unoptimized. Why should we optimize the
> code for non-optimized setups. Can't we avoid looking into one table
> 13 times each packet?

add 47400 pipe 47400 ip from table(0, 0) to any
add 47401 pipe 47401 ip from table(0, 1) to any
add 47402 pipe 47402 ip from table(0, 2) to any
add 47403 pipe 47403 ip from table(0, 3) to any
add 47404 pipe 47404 ip from table(0, 4) to any
add 47405 pipe 47405 ip from table(0, 5) to any
add 47406 pipe 47406 ip from table(0, 6) to any
add 47407 pipe 47407 ip from table(0, 7) to any
add 47408 pipe 47408 ip from table(0, 8) to any
add 47409 pipe 47409 ip from table(0, 9) to any

for different traffic consumers listed in table(0)

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Gleb Smirnoff: "Re: parallelizing ipfw table"
• In reply to: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Next in thread: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Reply: Gleb Smirnoff: "Re: parallelizing ipfw table"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: FW1 External Ruleset validation tools? ... FW1 External Ruleset validation tools? ... > What is the easiest way to find out what rule line the supposed packet ... in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. ... technology powered by the award-winning FoundScan engine. ... (Pen-Test) Re: iptables udp and output ... So, here's the ruleset, re-ordered to provide a clearer view to ... you drop all fragments past the first one of each fragmented packet. ... This is the typical problem to making too selective matches in iptables ... the host and port that were marked as destination in the outgoing UDP packet). ... (comp.os.linux.security) Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd) ... > In my experience, ruleset lookup hits on stateless packet ... > packet packet forwarding rules at the top of the ruleset. ... (Firewall-Wizards) Re: ipfw2 & natd & stateful ... On Mon, 19 May 2003, Craig Reyenga wrote: ... >> but I can't seem to get the ruleset to work. ... >> It seems that NATD is stopping anyone on my internal network from getting ... To unsubscribe, ... (freebsd-questions) Re: ipfw rules ... >> If the ruleset includes one or more rules with the keep-state or limit ... >> ports) of the matching packet. ... >> These dynamic rules, which have a limited lifetime, are checked at the ... > packets will be rematched before check-state. ... (comp.unix.bsd.freebsd.misc)