Date: Thu, 24 Jan 2008 10:43:56 -0800 (PST) From: Tommy Pham <tommyhp2@yahoo.com> To: freebsd-pf@freebsd.org Subject: Re: PF makes em0 taskq to eat 100% CPU Message-ID: <468875.8048.qm@web38211.mail.mud.yahoo.com> In-Reply-To: <4798CCD3.6050002@moneybookers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Stefan, I suggest you cvs the source to branch RELENG_7 and rebuild world kernel. (Rebuilding kernel helps a little but still have performance hits.) I had major performance issues with RC1 on my P3 box (128 RAM) with load hitting 6+ in top. Now the load averages at 0.15. Regards, Tommy --- Stefan Lambrev <stefan.lambrev@moneybookers.com> wrote: > > > Abdullah Ibn Hamad Al-Marri wrote: > > ----- Original Message ---- > > > >> From: Stefan Lambrev <stefan.lambrev@moneybookers.com> > >> To: freebsd-pf@freebsd.org > >> Sent: Thursday, January 24, 2008 6:39:41 PM > >> Subject: PF makes em0 taskq to eat 100% CPU > >> > >> Hello, > >> > >> I'm doing some tests and benchmarks and I'm testing pf on > >> bridge > >> > >> > > firewall. > > > >> One of the specific tests is how PF will handle SYN flood from > random > >> source addresses. > >> While the bridge is w/o activated PF, I see 12-14MB/s traffic. > >> When I enable the PF the traffic drops to 2-5MB/s and I'm starting > to > >> see lost packets. > >> > >> Here is what top -S shows when PF is not active: > >> 25 root 1 -68 - 0K 16K - 1 34:45 26.37% > em0 > >> taskq - only 26% CPU used > >> > >> but when I enable PF it (em0 taskq) goes up to 100% and packets > >> are > >> > >> > > lost. > > > >> Here is the pf.conf used for tests: > >> > >> #macros > >> ext_if="em0" > >> int_if="em1" > >> br_if="bridge0" > >> > >> www="10.3.3.1" > >> > >> #sets > >> set skip on lo0 > >> set skip on $int_if > >> set skip on $br_if > >> set limit states 20000000 > >> set limit src-nodes 15000 > >> set optimization aggressive > >> > >> table persist file "/etc/abusive_hosts" > >> > >> block log quick from to any > >> block log quick from any to > >> > >> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 > } > >> flags S/SA keep state \ > >> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, > >> overload flush global) > >> > >> The number of states that I reach is little more then 2,000,000. > >> (20,000,000 is the limit that I enforce) > >> FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule > >> > >> Please advise. > >> > >> -- > >> > >> Best Wishes, > >> Stefan Lambrev > >> ICQ# 24134177 > >> > >> > > > > Hello Stefan, > > > > What version of FreeBSD do you use and what arch? what is your CPU > spec and what ram? > > > > FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) > X3220 2.4 GHz - quad core, 2GB RAM > I increased kern.ipc.nmbclusters=262144 > I find device polling quite helpful here - at least the CPUs are > idle. > > > > > > Regards, > > -Abdullah Ibn Hamad Al-Marri > > Arab Portal > > http://www.WeArab.Net/ > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?468875.8048.qm>