Firewall jump rules - for better performance?

McGremlin · January 16, 2024, 8:07pm

Hi guys.

Let’s say I have got 3 VLANs - vlan10, vlan20, vlan30 - and 300 fw rules, 100 per VLAN, based on accepting connections to dst.address lists vlan10, vlan20, vlan30.
Some packets have to be processed through all 300 rules in this scenario.

And now I’m thinking about adding jump rules into my config:

if dst.address list is vlan10, jump to chain “IntoVlan10”,
group vlan10 rules into chain “IntoVlan10”,
add in this chain drop rule at the bottom,
do it for other vlans.
In this scenario some packets have to be processed through 100 rules + jump rules.

Let’s not discuss other rules and focus only on the example for now.
Am I thinking properly? Is it a good direction and it should improve router performance?

vingjfg · January 16, 2024, 8:53pm

Conceptually, that is correct: your first jump rule would match everything going to vlan10, if not, it would skip directly to the second jump rule … etc, adding one evaluation for the rules to vlan10, 2 evaluations but removing a 100 evaluations for the rules to vlan20, and 3 evaluations but removing 200 evalutions for the rules to vlan30. In that scenario and supposing that the hits are fairly distributed across all the rules - and they may not be - you would go from an average of 150 evaluations down to 51-ish evaluations and 1 jump on average.

In the second level table, for example “IntoVlan10”, you can also have jumps depending on whether the packet comes from vlan20 or vlan30, and have the final actions in that 3rd level table, which means that packets from vlan30 would skip the processing of the rules from vlan20.

Determining whether it would improve router performances is a bit more delicate: imagine that out of your 300 rules, one is hit 99% of the time - and we are not talking established but really a rule for new connections. Depending on where it is located in your rulebase, you may end up having one more evaluation. In that case, a performance boost would be to move it before evaluating to which table the evaluator should jump.

McGremlin · January 16, 2024, 9:31pm

Conceptually, that is correct: your first jump rule would match everything going to vlan10, if not, it would skip directly to the second jump rule … etc, adding one evaluation for the rules to vlan10, 2 evaluations but removing a 100 evaluations for the rules to vlan20, and 3 evaluations but removing 200 evalutions for the rules to vlan30. In that scenario and supposing that the hits are fairly distributed across all the rules - and they may not be - you would go from an average of 150 evaluations down to 51-ish evaluations and 1 jump on average.

In the second level table, for example “IntoVlan10”, you can also have jumps depending on whether the packet comes from vlan20 or vlan30, and have the final actions in that 3rd level table, which means that packets from vlan30 would skip the processing of the rules from vlan20.

Determining whether it would improve router performances is a bit more delicate: imagine that out of your 300 rules, one is hit 99% of the time - and we are not talking established but really a rule for new connections. Depending on where it is located in your rulebase, you may end up having one more evaluation. In that case, a performance boost would be to move it before evaluating to which table the evaluator should jump.

Nice, it looks like a great advantage.
If the rules are fairly distributed between vlans, than the second level chains can improve it even more, reduce to half + jump rules.
I am aware of “more often connections” which should be on top of the chains.
Thanks for the answer, if someone has another point of view or any other experience, something to add - feel free to write it down here.