Date: Fri, 26 Apr 2013 17:42:24 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Erich Weiler <weiler@soe.ucsc.edu> Cc: freebsd-net@freebsd.org Subject: Re: pf performance? Message-ID: <20130426134224.GV76816@FreeBSD.org> In-Reply-To: <5176E5C1.9090601@soe.ucsc.edu> References: <5176E5C1.9090601@soe.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Erich, On Tue, Apr 23, 2013 at 12:49:21PM -0700, Erich Weiler wrote: E> I have a question here about how FreeBSD (8.1-RELEASE-p13 specifically) E> behaves when acting as a firewall. I understand the pf process is E> "giant locked" to a single CPU core when inspecting packets inbound and E> outbound. I was wondering, how does that manifest when I look at "top E> -P" on the firewall? The pf isn't a process, so you can't see it in top. pf has some helper threads however, but packet processing isn't performed by any of them. The pf is kind of a library in kernel. The packets are processed by NIC interrupt handler threads, and these threads enter the library to perform packet filtering. Since in FreeBSD 8 this library is covered by a single lock (it isn't the Giant, but it is kind of "local pf giant"), processing is serialized - threads enter the library one by one, and they are blocked on enter in case if other thread already works inside. In FreeBSD 10 pf is no longer under single lock. On your hardware, I'd expect a measurable performance gain if you migrate to 10. -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130426134224.GV76816>