From nobody@FreeBSD.org  Mon May  2 16:08:06 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8223A1065674
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 May 2011 16:08:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 56D798FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 May 2011 16:08:06 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p42G86DD043675
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 2 May 2011 16:08:06 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p42G86IW043674;
	Mon, 2 May 2011 16:08:06 GMT
	(envelope-from nobody)
Message-Id: <201105021608.p42G86IW043674@red.freebsd.org>
Date: Mon, 2 May 2011 16:08:06 GMT
From: Alexandr <alter@alter.org.ua>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw/dummynet: performance improvement and several extensions
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         156770
>Category:       kern
>Synopsis:       [ipfw] [dummynet] [patch]: performance improvement and several extensions
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    melifaro
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 02 16:10:10 UTC 2011
>Closed-Date:    
>Last-Modified:  Mon Oct 14 11:11:14 UTC 2013
>Originator:     Alexandr
>Release:        7.2-RELEASE-p8
>Organization:
NetAssist
>Environment:
FreeBSD homecat.alter.org.ua 7.2-RELEASE-p8 FreeBSD 7.2-RELEASE-p8 #6: Sat Apr 23 12:52:20 EEST 2011
     root@homecat.alter.org.ua:/usr/src/sys/i386/compile/CAT_v14c  i386

>Description:
# add commands zshow, replace
# option -Q for ignoring ALL errors in ruleset
# add 'skipto tablearg'
# add 'via table()', you can insert interface name into table
# add condition 'if-index' - number of interface (e.g. for vlan55 it would be 55)
# indexing of rules in kernel (index table) for fast handling of skipto tablearg, and effective add/remove of large amount of rules.
# mapped table - for tables containing many single IPs (e.g, /32) we perform large subnet lookup via b-tree (e.g, /23, controlled by sysctl net.inet.ip.fw.def_map_mlen), and inside each /23 perform table lookup. Works much faster.
# map table - hash-based division of large IP block on several small ones. For example, /16 can be divided into 256 subnets. We can do it by 3rd octet (hoffset 16, hlen 8). Also, we can do it by 4th octet (hoffset 24, hlen 8). hoffset defines number of the 1st bit of hash, hlen - hash length in bits. Also, we define base IP and netmask for map table to match large IP block.
# indexed pipe lookup table (controlled by sysctl net.inet.ip.dummynet.full_indexing)
# traffic counter/limiter - count-upd, count-check, count-exceed.
# nexthop ipfw action. In contrast to fwd it just sets next-hop for packet and continue rule procesing.
# optimized dummynet io_fast. Value 2 makes dummynet just forward packet without placing to the queue, if bandwith lemit is not exceeded. When value is set to 1 packet is added and then removed from queue (It is bit slower).
# it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic.
# Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet. All ftags are stored in single memory block as bitmap. Are faster than usual tags, those allocate separate memory block for each tag.
# Local ipfw tagging (ltag) - you can assign up to 32 ftags on packet. Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent to another interface, diverted or passed through pipe). The benefit is performance - ltag does not require memory allocation at all.
>How-To-Repeat:

>Fix:
http://alter.org.ua/soft/fbsd/ipfw/ipfw.72.20110501.patch.gz

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue May 3 06:50:31 UTC 2011 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156770 
Responsible-Changed-From-To: freebsd-net->freebsd-ipfw 
Responsible-Changed-By: ae 
Responsible-Changed-When: Tue May 3 11:42:34 UTC 2011 
Responsible-Changed-Why:  
Seems it is related to ipfw. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156770 

From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= <kes-kes@yandex.ru>
To: bug-followup@FreeBSD.org, alter@alter.org.ua
Cc:  
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions
Date: Sat, 28 Jan 2012 17:58:56 +0200

 Hi, Team.
 
 Do you plan to port this patch to FreeBSD-10 or 9?
 It will be veri nice
 
 especially this feature:
  # it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic.
 
 
 

From: Alter <alter@alter.org.ua>
To: bug-followup@FreeBSD.org, Alter <alter@alter.org.ua>
Cc:  
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions
Date: Thu, 14 Jun 2012 17:11:18 +0200

 Hello bug-followup,
 
 I've made unified diff for this patch:
 http://alter.org.ua/soft/fbsd/ipfw/ipfw.72.20120614u.patch.gz
 
 About porting: seems, I'll port it to 8.x soon.
 
 Also, there were some discussions about various features of this
 patch and dividing it into separate patches (one for each feature).
 What I can do almost immediately is making single patch with some
 subset of new features. Even with some additional sysctls or #define's
 (to enable/disable feature).
 I just need to know the final decision and feature list.
 
 -- 
 Best regards,
  Alter                          mailto:alter@alter.org.ua
 

From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To: bug-followup@FreeBSD.org, alter@alter.org.ua
Cc:  
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement
 and several extensions
Date: Fri, 15 Jun 2012 16:35:56 +0400

 Hello Alexandr!
 
 I'm afraid singe huge patch for legacy release is not the promising start.
 Since development model assumes new code being committed to -current 
 first, you should probably port these features to -current (it does not 
 differ from 8-STABLE much).
 It is also much easier to discuss/import features by small chunks 
 instead of single huge change, so splitting every feature into separate 
 diff is possibly  a good thing to do.
 
 Please note that some of functionality (skipto tablearg, interface 
 tables are already implemented in a different way).
 
 Personally for me index table for fast skipto/pipes, mapped tables and 
 io_fast patch looks very promising, so we can discuss directly if you're 
 interested.
 
 
Responsible-Changed-From-To: freebsd-ipfw->melifaro 
Responsible-Changed-By: melifaro 
Responsible-Changed-When: Sun Jul 1 15:54:17 UTC 2012 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156770 

From: Luigi Rizzo <rizzo@iet.unipi.it>
To: melifaro@freebsd.org, bug-followup@freebsd.org, alter@alter.org.ua
Cc: freebsd-ipfw@freebsd.org
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions
Date: Sun, 1 Jul 2012 21:09:21 +0200

 On Sun, Jul 01, 2012 at 03:54:35PM +0000, melifaro@freebsd.org wrote:
 > Synopsis: [ipfw] [dummynet] [patch]: performance improvement and several extensions
 > 
 > Responsible-Changed-From-To: freebsd-ipfw->melifaro
 > Responsible-Changed-By: melifaro
 > Responsible-Changed-When: Sun Jul 1 15:54:17 UTC 2012
 > Responsible-Changed-Why: 
 > Take
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=156770
 
 Alex,
 please any ipfw-related patch through me before committing.
 
 On this specific PR i have some comments and several concerns.
 
 First, as mentioned in the thread, some specific features (e.g. ftags)
 might be of interest, but the fact that this is a single monolitic patch
 make it hard to apply and review. Especially, at least judging from the
 description, i believe some of the changes replicate features that
 were already inserted around 2009 and later (in then-head).
 
 On the negative side:
 - documentation on new features is completely absent. Just a brief mention
   in the manpage of ftag/funtag, a short comment in a C source code.
 
 - the way some features are implemented is through adding new IOCTLs,
   which is the wrong way of doing things. In the 2009 rewrite (ipfw3)
   i tried to use a single ioctl which carries tagged messages
   for the various requests (similar to the microinstructions which make
   up a rule) so the code is easier to extend without breaking ABIs.
   Please follow the new style if you need to add commands.
 
 - can you please split the patch in individual components, and
   make sure that they not replicate functions already existent
   (or if they do, are they an improvement) ? I am especially
   referring to indexed skipto
 
 - a large number of changes to the userspace code replaces errx()
   with return my_err(...) . I might agree on the principle, but
   I'd like to see a few notes on why this change is required,
   and whether it can be applied independently of the others.
   
 cheers
 luigi

From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To: Luigi Rizzo <rizzo@iet.unipi.it>
Cc: bug-followup@freebsd.org, alter@alter.org.ua, 
 freebsd-ipfw@freebsd.org
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement
 and several extensions
Date: Sun, 01 Jul 2012 23:09:00 +0400

 On 01.07.2012 23:09, Luigi Rizzo wrote:
 > On Sun, Jul 01, 2012 at 03:54:35PM +0000, melifaro@freebsd.org wrote:
 >> Synopsis: [ipfw] [dummynet] [patch]: performance improvement and several extensions
 >>
 >> Responsible-Changed-From-To: freebsd-ipfw->melifaro
 >> Responsible-Changed-By: melifaro
 >> Responsible-Changed-When: Sun Jul 1 15:54:17 UTC 2012
 >> Responsible-Changed-Why:
 >> Take
 >>
 >> http://www.freebsd.org/cgi/query-pr.cgi?pr=156770
 >
 > Alex,
 Not sure if you're speaking to me, since both submitter and I are 
 Alexanders :) However I'll try to answer some of the questions.
 > please any ipfw-related patch through me before committing.
 >
 > On this specific PR i have some comments and several concerns.
 >
 > First, as mentioned in the thread, some specific features (e.g. ftags)
 > might be of interest, but the fact that this is a single monolitic patch
 > make it hard to apply and review. Especially, at least judging from the
 > description, i believe some of the changes replicate features that
 > were already inserted around 2009 and later (in then-head).
 We already got private discussion resulting in preparation of some most 
 interesting (at least to me) parts of code to be split into different 
 patches and remade to work on -current.
 
 Particularly I'm interested in rule indexes mostly.
 
 >
 > On the negative side:
 > - documentation on new features is completely absent. Just a brief mention
 >    in the manpage of ftag/funtag, a short comment in a C source code.
 >
 > - the way some features are implemented is through adding new IOCTLs,
 >    which is the wrong way of doing things. In the 2009 rewrite (ipfw3)
 >    i tried to use a single ioctl which carries tagged messages
 >    for the various requests (similar to the microinstructions which make
 >    up a rule) so the code is easier to extend without breaking ABIs.
 >    Please follow the new style if you need to add commands.
 IP_FW3 is already used in ipv6 tables code, so there are some ipfw(8) 
 and kernel code to reuse.
 >
 > - can you please split the patch in individual components, and
 >    make sure that they not replicate functions already existent
 >    (or if they do, are they an improvement) ? I am especially
 >    referring to indexed skipto
 >
 > - a large number of changes to the userspace code replaces errx()
 >    with return my_err(...) . I might agree on the principle, but
 >    I'd like to see a few notes on why this change is required,
 >    and whether it can be applied independently of the others.
 >
 > cheers
 > luigi
 >
 

From: Alter <alter@alter.org.ua>
To: Luigi Rizzo <rizzo@iet.unipi.it>
Cc: melifaro@freebsd.org, bug-followup@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re[2]: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions
Date: Mon, 2 Jul 2012 13:24:09 +0200

 Hello Luigi,
 
 Seems, Alex answered most of you questions
 
 LR> On the negative side:
 LR> - documentation on new features is completely absent. Just a brief mention
 LR>   in the manpage of ftag/funtag, a short comment in a C source code.
 
 # Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet.
 All ftags are stored in single memory block as bitmap. Are faster than
 usual tags, those allocate separate memory block for each tag.  
 
 # Local ipfw tagging (ltag) - you can assign up to 32 ltags on packet.
 Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent
 to another interface, diverted or passed through pipe). The benefit is
 performance - ltag does not require memory allocation at all.
 
 (from http://alter.org.ua/soft/fbsd/ipfw/)
 
 LR> - a large number of changes to the userspace code replaces errx()
 LR>   with return my_err(...) . I might agree on the principle, but
 LR>   I'd like to see a few notes on why this change is required,
 LR>   and whether it can be applied independently of the others.
 
 This change is required to let -q work properly in all cases.
 Because of inclompete error handling ipfw may eventually exit
 when processing incorrect rule regardless of -q option.
 Such behavior seems to be dangerous, especially when dealing to remote
 servers and auto-generated rulesets.
 E.g. ruleset may become invalid because of removal of some interface
 from system. Also, incorrect update of external config file (used for
 ruleset generation) may lead system to inacessible state.
 
 my_err() either calls errx() (without -q) or returns proper error code
 for handling in callee (with -q)
 
 -- 
 Best regards,
  Alter                            mailto:alter@alter.org.ua
 

From: Luigi Rizzo <rizzo@iet.unipi.it>
To: Alter <alter@alter.org.ua>
Cc: melifaro@freebsd.org, bug-followup@freebsd.org,
	freebsd-ipfw@freebsd.org
Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions
Date: Mon, 2 Jul 2012 14:51:30 +0200

 On Mon, Jul 02, 2012 at 01:24:09PM +0200, Alter wrote:
 > Hello Luigi,
 > 
 > Seems, Alex answered most of you questions
 > 
 > LR> On the negative side:
 > LR> - documentation on new features is completely absent. Just a brief mention
 > LR>   in the manpage of ftag/funtag, a short comment in a C source code.
 > 
 > # Fast ipfw tagging (ftag) - you can assign up to 32 ftags on packet.
 > All ftags are stored in single memory block as bitmap. Are faster than
 > usual tags, those allocate separate memory block for each tag.  
 > 
 > # Local ipfw tagging (ltag) - you can assign up to 32 ltags on packet.
 > Ltags are not preserved when packet leaves ipfw ruleset (e.g. is sent
 > to another interface, diverted or passed through pipe). The benefit is
 > performance - ltag does not require memory allocation at all.
 > 
 > (from http://alter.org.ua/soft/fbsd/ipfw/)
 
 i understand that the features are nice, however you need to add
 explanations in the manpage and in the code, not just in this email.
 Same goes for the rest of the features.
 
 So, let's restart the discussion once you have a patch that is
 referred to HEAD and has the various features split and documented.
 
 
 > LR> - a large number of changes to the userspace code replaces errx()
 > LR>   with return my_err(...) . I might agree on the principle, but
 > LR>   I'd like to see a few notes on why this change is required,
 > LR>   and whether it can be applied independently of the others.
 > 
 > This change is required to let -q work properly in all cases.
 > Because of inclompete error handling ipfw may eventually exit
 > when processing incorrect rule regardless of -q option.
 
 ok, that is a good change but then you should again separate the
 error handling patch from the one adding new features.
 
 > Such behavior seems to be dangerous, especially when dealing to remote
 > servers and auto-generated rulesets.
 > E.g. ruleset may become invalid because of removal of some interface
 > from system. Also, incorrect update of external config file (used for
 > ruleset generation) may lead system to inacessible state.
 
 the previous two sentences have nothing to do with syntax checking
 (which is all the frontend can do).
 
 
 > my_err() either calls errx() (without -q) or returns proper error code
 > for handling in callee (with -q)
 
 cheers
 luigi
 
 > -- 
 > Best regards,
 >  Alter                            mailto:alter@alter.org.ua
 > 
State-Changed-From-To: open->suspended 
State-Changed-By: melifaro 
State-Changed-When: Mon Oct 14 11:10:42 UTC 2013 
State-Changed-Why:  
No response from author. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=156770 
>Unformatted:
