>Number: 156770
>Category: kern
>Synopsis: ipfw/dummynet: performance improvement and several extensions
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon May 02 16:10:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Alexandr
>Release: 7.2-RELEASE-p8
>Organization:
NetAssist
>Environment:
FreeBSD homecat.alter.org.ua 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #6: Sat Apr
23 12:52:20 EEST 2011
[email protected]:/usr/src/sys/i386/compile/CAT_v14c i386
>Description:
# add commands zshow, replace
# option -Q for ignoring ALL errors in ruleset
# add 'skipto tablearg'
# add 'via table()', you can insert interface name into table
# add condition 'if-index' - number of interface (e.g. for vlan55 it would be
55)
# indexing of rules in kernel (index table) for fast handling of skipto
tablearg, and effective add/remove of large amount of rules.
# mapped table - for tables containing many single IPs (e.g, /32) we perform
large subnet lookup via b-tree (e.g, /23, controlled by sysctl
net.inet.ip.fw.def_map_mlen), and inside each /23 perform table lookup. Works
much faster.
# map table - hash-based division of large IP block on several small ones. For
example, /16 can be divided into 256 subnets. We can do it by 3rd octet
(hoffset 16, hlen 8). Also, we can do it by 4th octet (hoffset 24, hlen 8).
hoffset defines number of the 1st bit of hash, hlen - hash length in bits.
Also, we define base IP and netmask for map table to match large IP block.
# indexed pipe lookup table (controlled by sysctl
net.inet.ip.dummynet.full_indexing)
# traffic counter/limiter - count-upd, count-check, count-exceed.
# nexthop ipfw action. In contrast to fwd it just sets next-hop for packet and
continue rule procesing.
# optimized dummynet io_fast. Value 2 makes dummynet just forward packet
without placing to the queue, if bandwith lemit is not exceeded. When value is
set to 1 packet is added and then removed from queue (It is bit slower).
# it is possible to use bmap instead of port list. It gives performance benefit
when you have large list of services. Lookup time doesn't depend on list size.
Rather useful to QoS game traffic.
# Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet. All ftags
are stored in single memory block as bitmap. Are faster than usual tags, those
allocate separate memory block for each tag.
# Local ipfw tagging (ltag) - you can assign up to 32 ftags on packet. Ltags
are not preserved when packet leaves ipfw ruleset (e.g. is sent to another
interface, diverted or passed through pipe). The benefit is performance - ltag
does not require memory allocation at all.
>How-To-Repeat:
>Fix:
http://alter.org.ua/soft/fbsd/ipfw/ipfw.72.20110501.patch.gz
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
