In addition to the already-mentioned ipfw per-CPU state tracking, Sepherosa Ziehau has added per-CPU state tables to ipfw, and his commit documents the improvement in performance/latency. He’s also added ipfw support to sshlockout(8).
5 Replies to “More ipfw work”
Comments are closed.
The latency / performance for the 99% though gets crazy with ipfw.
Seems like some type of lock is happening because without ipfw, the 99% is flat. With ipfw, the 99% jumps exponentially high.
For rule based blacklist, the rule iteration is linear, so performance drop w/ increasing # of rules is much expected. Rule list itself is _lockless_, but rule evaluation has its own cost. That’s the main reason to use table for blacklist, which scales pretty well w/ the # of addresses.
Thanks Sepherosa. That was great insight.
You do awesome work.
Really wish DragonflyBSD had wider adoption so that more people would get to appreciate all you have accomplished on the network stack.
Maybe add “alias ls ls -G” or Change prompt to Display current path (i.e. “%n@%m:%~ # ” ) for better Out of the Box experience.
I agree with Erik on the work that Sepherosa has done; if you keep an eye on at least the FreeBSD mailing lists, he shows up there too so some of the work is getting elsewhere. As for more people adopting DragonFly, it’s a double edged sword. More people using sometimes is more people complaining.