Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Dec 2011 02:04:07 +0400
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        Mike Tancsa <mike@sentex.net>
Cc:        Pawel Tyll <ptyll@nitronet.pl>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   Re: Firewall Profiling.
Message-ID:  <4EFA40D7.60206@FreeBSD.org>
In-Reply-To: <4EFA3F6F.9040404@sentex.net>
References:  <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <4EFA3F6F.9040404@sentex.net>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig133DE841CFC96306967DCD86
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Mike Tancsa wrote:
> On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote:
>>> Is  IPFW  efficient  enough  to  firewall  2x10GE  (in+out) interface=
s
>>> without  much  latency  increase,  when  running  on  modern  hardwar=
e
>>> with Intel NICs? Majority of processing tasks would probably be setfi=
b
>>> according to matches in tables.
>> IPFW seems to add more or less constant overhead per rule. In our setu=
p,
>> ~20 rules increase load by 100% (one core).  We are able to reach 10GE=

>> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules=
=2E
>> However, even with ipfw add 1 allow ip from any to any
>> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
>> rtable only). YMMV, but 2x10G is too much at the moment even without i=
pfw.
>=20
>=20
> Dont some of the modern 10G adapters support filtering in the card
> itself ?  eg cxgbe.
We're using Intel 8259X, it supports hardware filtering (flow director
and some other specific things like DCB) but:
1) Flow director is currently not supported (on FreeBSD)
2) There is no ipfw opcode compiler (however it seems that it's not too
hard to write one)..
3) If ruleset is more or less optimized firewall is not the main CPU
consumer.

>=20
> 	---Mike
>=20
>=20
>=20



--------------enig133DE841CFC96306967DCD86
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk76QNoACgkQwcJ4iSZ1q2mnbQCgiVScHKonwfmyCiYIHM5W0Zx0
CRUAnRiV13bJ0nMuJz+qOCSNQMmi2zC9
=5lTC
-----END PGP SIGNATURE-----

--------------enig133DE841CFC96306967DCD86--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EFA40D7.60206>