From owner-freebsd-net@FreeBSD.ORG Tue Oct 23 07:13:28 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F66FC53; Tue, 23 Oct 2012 07:13:28 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id CD0FD8FC14; Tue, 23 Oct 2012 07:13:27 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id k10so6459298iea.13 for ; Tue, 23 Oct 2012 00:13:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=rGNhiXzsOUch7jy9gw76WcJxqI+1yPdt/XTvjRUMIno=; b=hsGQOzSbgt4DPZKlZgbm1PRpwHkFaWGXx/Bfxc2FHKPR5u5hjZ47bGCum5j8Nn0NlE SlQnXIaaE1r7K0x0NcjLg3CjlSTYutuHyutzvaj1BCxKJHrC+HbNdCRH2fNs+3pIb4T/ KKkRHGZV3hQ3mUpnXEQB1lSR47MxOHdDGnILWTgJzTB6F/O/fA8xilnP49R7VVwnh6Pd M7hfxj0HjLT9BI9rElBWntDjZY6s6WT9U87LvMdGZMzWb6RkuAhtKoznILkf3MjHrWYz ZUfUkJK35FVbrPGUsyQVIwRi3P6X88fgPfuh2dVjr9uDXzNZnoK7C2UDCTc/rzMFLO2X 6i7A== Received: by 10.50.37.168 with SMTP id z8mr19163504igj.1.1350976407279; Tue, 23 Oct 2012 00:13:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.43.113.65 with HTTP; Tue, 23 Oct 2012 00:13:07 -0700 (PDT) In-Reply-To: <50848E16.6060008@freebsd.org> References: <508138A4.5030901@FreeBSD.org> <50848E16.6060008@freebsd.org> From: n j Date: Tue, 23 Oct 2012 09:13:07 +0200 Message-ID: Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2012 07:13:28 -0000 > On 10/19/12 4:25 AM, Andrey V. Elsukov wrote: >> >> Hi All, >> >> Many years ago i have already proposed this feature, but at that time >> several people were against, because as they said, it could affect >> performance. Now, when we have high speed network adapters, SMP kernel >> and network stack, several locks acquired in the path of each packet, >> and i have an ability to test this in the lab. >> >> So, i prepared the patch, that removes IPFIREWALL_FORWARD option from >> the kernel and makes this functionality always build-in, but it is >> turned off by default and can be enabled via the sysctl(8) variable >> net.pfil.forward=1. >> >> http://people.freebsd.org/~ae/pfil_forward.diff >> >> Also we have done some tests with the ixia traffic generator connected >> via 10G network adapter. Tests have show that there is no visible >> difference, and there is no visible performance degradation. >> >> Any objections? Just another me-too mail - this is great news! I can't really comment on the quality of the patch or the performance results as I'm neither an expert in low-level coding nor do I have a test lab to give this patch a go, but if there are no concrete objections, I really hope this goes forward. Thanks for the good work. Regards, -- Nino