Date: Tue, 25 Oct 2011 18:50:39 +0200 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Karim <fodillemlinkarim@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rule processing performances Message-ID: <20111025165039.GA8255@onelab2.iet.unipi.it> In-Reply-To: <4EA6D78F.6010607@gmail.com> References: <4EA6D78F.6010607@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 25, 2011 at 11:36:47AM -0400, Karim wrote: > Hi all, > > I am using ipfw with a fairly small amount of rules (~200). Most of > those are skipto rules to different blocking and pass-through blocks. I > use ipfw tags, ALTQ, nat, fwd and several deny and allow rules and I do > not use/need tables. > > What I find is around 400Mbps of traffic (~40kpps) an extremely high > amount of cpu usage related to firewall processing. > > What I would like to know is if there is an ongoing work to optimise > ipfw and/or gather ideas on how to do that. > > I realise my question has a large scope but I am not interested in > optimizing my ruleset I'd like to get a feel for how code wise the > current processing could be optimized (using multiple input TX/RX queues > for example, etc...). we did some performance evaluation a couple of years ago, mostly related to dummynet but there are some ipfw data too. http://info.iet.unipi.it/~luigi/papers/20100304-ccr.pdf in summary, on a modern CPU i would expect to get to 200kpps with moderate cpu usage, unless you have an expensive or poorly designed ruleset. Unfortunately tags are very expensive, but i have no idea of the nat overhead. cheers luigi > Karim. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111025165039.GA8255>