Date: Fri, 26 Apr 2013 00:21:11 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: Erich Weiler <weiler@soe.ucsc.edu> Cc: freebsd-net@freebsd.org Subject: Re: pf performance? Message-ID: <201304260021.11209.vegeta@tuxpowered.net> In-Reply-To: <517974DA.5090809@soe.ucsc.edu> References: <5176E5C1.9090601@soe.ucsc.edu> <201304240134.22740.vegeta@tuxpowered.net> <517974DA.5090809@soe.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia czwartek, 25 kwietnia 2013 o 20:24:26 Erich Weiler napisa=C5=82(a): > > As far as I understand, processing of packets by pf takes place in > > receiving network card's interrupt handler even up to sending the packet > > via another network card (at least in my case, when using route-to > > targets, which make routing inside pf). >=20 > That's interesting. So even though pf is giant locked, you can still > scale the maximum capacity of your firewall, in this case, simply by > adding more CPU cores? To handle the extra interrupts? So more cores =3D > more packets per second, if you give each extra core an additional > interrupt queue? There is still some code outside pf that packets from the network pass thro= ugh. =20 > > How do you count the 140kpps value? One interface, both, in, out? I'd > > like to relate this somehow to my values. >=20 > Well, generally we see 80kpps rx and 40kpps tx. But I have seen the rx > spike to 150kpps occasionally. Unfortunately at this moment I have no single machine with such traffic,=20 although maybe I can aggregate some traffic later and check the cpu usage t= hen. > This is a pfSense box, which includes > RRD graphs of packet rates, that's how I'm getting the number. I'm not > sure how they are obtaining that metric under the hood. But we have not > disabled HT and some other items, so that number will change is my > guess. We also may add another CPU die to the mix to see if we can add > interrupt queues to more cores to increase performance. How many pf rules do you have?. And, as I asked in my previous post, do you= =20 create states on both sides of the firewall? =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304260021.11209.vegeta>