21 Jul
2015
21 Jul
'15
5:52 p.m.
Would breaking the rule out into separate smaller rules help improve the bottleneck?
It looks like ipfw uses a 'first rule wins', so perhaps re-ordering could help.
Filter all the bogon and RFC1918 IPs out first, then filter out the netbios traffic and
anything else that globally shouldn't be allowed, with the divert rule being
simplified and left to the end.
--
Will
On 7/21/15 2:51 PM, Brian Kantor wrote:
Statistics and experiments show that the bottleneck is
the IP input
routines processing the ipfw rules. Since this is single-threaded inside
the kernel, more cores over the effective 4 we have now will probably
not help. As you can see from the snapshot below, the task queue for the
input interface is full and that is where the packets are being dropped.
# known addresses go to the encapsulating router socket: ipipd
ipfw add divert 4444 ip from not 10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,192.168.0.0/16
to 'table(1)' in not dst-port 135-139,445,1025-1028
# other 44 addresses go next door for analysis
ipfw add forward 192.168.44.252 all from any to 44.0.0.0/8