21 Jul
2015
21 Jul
'15
6:52 p.m.
Would breaking the rule out into separate smaller rules help improve the bottleneck?
It looks like ipfw uses a 'first rule wins', so perhaps re-ordering could help. Filter all the bogon and RFC1918 IPs out first, then filter out the netbios traffic and anything else that globally shouldn't be allowed, with the divert rule being simplified and left to the end.
--
Will
On 7/21/15 2:51 PM, Brian Kantor wrote:
> Statistics and experiments show that the bottleneck is the IP input
> routines processing the ipfw rules. Since this is single-threaded inside
> the kernel, more cores over the effective 4 we have now will probably
> not help. As you can see from the snapshot below, the task queue for the
> input interface is full and that is where the packets are being dropped.
>
> # known addresses go to the encapsulating router socket: ipipd
> ipfw add divert 4444 ip from not 10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,192.168.0.0/16 to 'table(1)' in not dst-port 135-139,445,1025-1028
> # other 44 addresses go next door for analysis
> ipfw add forward 192.168.44.252 all from any to 44.0.0.0/8