From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 27 22:05:06 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39494106566B; Tue, 27 Dec 2011 22:05:06 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id E0FA08FC1F; Tue, 27 Dec 2011 22:05:05 +0000 (UTC) Received: from secured.by.ipfw.ru ([81.200.11.182] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Rff8n-000Ap9-Ak; Wed, 28 Dec 2011 02:05:01 +0400 Message-ID: <4EFA40D7.60206@FreeBSD.org> Date: Wed, 28 Dec 2011 02:04:07 +0400 From: "Alexander V. Chernikov" User-Agent: Thunderbird 2.0.0.24 (X11/20100515) MIME-Version: 1.0 To: Mike Tancsa References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <4EFA3F6F.9040404@sentex.net> In-Reply-To: <4EFA3F6F.9040404@sentex.net> X-Enigmail-Version: 0.96.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig133DE841CFC96306967DCD86" Cc: Pawel Tyll , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Firewall Profiling. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2011 22:05:06 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig133DE841CFC96306967DCD86 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Mike Tancsa wrote: > On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote: >>> Is IPFW efficient enough to firewall 2x10GE (in+out) interface= s >>> without much latency increase, when running on modern hardwar= e >>> with Intel NICs? Majority of processing tasks would probably be setfi= b >>> according to matches in tables. >> IPFW seems to add more or less constant overhead per rule. In our setu= p, >> ~20 rules increase load by 100% (one core). We are able to reach 10GE= >> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules= =2E >> However, even with ipfw add 1 allow ip from any to any >> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in >> rtable only). YMMV, but 2x10G is too much at the moment even without i= pfw. >=20 >=20 > Dont some of the modern 10G adapters support filtering in the card > itself ? eg cxgbe. We're using Intel 8259X, it supports hardware filtering (flow director and some other specific things like DCB) but: 1) Flow director is currently not supported (on FreeBSD) 2) There is no ipfw opcode compiler (however it seems that it's not too hard to write one).. 3) If ruleset is more or less optimized firewall is not the main CPU consumer. >=20 > ---Mike >=20 >=20 >=20 --------------enig133DE841CFC96306967DCD86 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk76QNoACgkQwcJ4iSZ1q2mnbQCgiVScHKonwfmyCiYIHM5W0Zx0 CRUAnRiV13bJ0nMuJz+qOCSNQMmi2zC9 =5lTC -----END PGP SIGNATURE----- --------------enig133DE841CFC96306967DCD86--