First and foremost: this is just a preview, only usable for testing now, but very very close to working.
http://info.iet.unipi.it/~luigi/netmap/20120725-ipfw-user.tgz At the above URL you can find a userspace version of ipfw that reads packet from a netmap-compatible port (i.e. a netmap supported interface, or a port on a VALE bridge), and processes them through ipfw. It builds and run on both linux and FreeBSD, and uses the ipfw sources from today's HEAD. Right now the output is thrown away, but very shortly the code will also send it to an output port. The way it works is very simple (see also the picture below, drawn with http://www.asciiflow.com/ ) The formerly-kernel-side part of the firewall now runs in a userspace process (kipfw) and is controlled by a slightly modified ipfw that routes the sockopt commands over TCP to localhost:5555 (hardwired). kipfw stores rules persistently, and also reads from a netmap port. The configuration below shows how to use pkt-gen to test the performance of the system: you need to load the VALE-enabled netmap module, then in one terminal run "kipfw vale-test", in another terminal use the ipfw that you just built to add/delete/show stuff, and you can use netmap's pkt-gen to generate traffic. +------------+ | | +----------+ +----------------+ | | | | tcp/5555 | | | pkt-gen | | ipfw +--------->| kipfw | | | | | | | | | +----------+ +----------------+ +-----+------+ ^ | | | | | | v +-------+--------------------------+ | | | VALE bridge | | | +----------------------------------+ A quick test with a simple ruleset (4 rules, see below) shows a processing speed of 9-10Mpps on one core. I think there is still room for a little bit of improvement. Especially, we can now test the performance impact of changes to the firewall code without the need for complex hardware setups. > ipfw/ipfw show connected to 127.0.0.1:5555 00100 30628621 1408916566 count ip from any to any dst-ip 10.1.0.1 00100 0 0 count ip from any to any dst-ip 10.1.0.2 00100 0 0 count ip from any to any dst-ip 10.1.0.3 65535 30628621 1408916566 allow ip from any to any cheers luigi _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"