All, Currently, when you have any rules which contain UID/GID constraints, ipfw will lock the pcb hash and do a lookup to find the pcb associated with that packet -- One for each constraint.
I have written a patch in attempt to minimize the impact of PCB related lookups for these type of firewall rules. This patch will have the following effects on firewalls which contain UID/GID constraints: o Greatly reduce the locking contention associated with PCB lookups. o Increase the performance of firewall in general by making PCB lookups O(1) rather than O(n) (where n represents number of UID/GID constraints in the ruleset) It would be greatly appriciated if people who are running ipfw rules sets containing UID/GID constraints tested this patch and reported any success or failures. The patch can be downloaded from: http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch NOTE: It also appears that ip_output passes a reference to the PCB. Perhaps we can hold a reference to the ucred stored in that entry and do away with lookups on outgoing packets all-together? -- Christian S.J. Peron [EMAIL PROTECTED] FreeBSD Committer _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
