From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 00:07:41 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5C7C106564A for ; Wed, 25 Mar 2009 00:07:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 49D768FC1E for ; Wed, 25 Mar 2009 00:07:40 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-017-243.pools.arcor-ip.net [88.66.17.243]) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis) id 0ML21M-1LmGee3LAQ-0007x5; Wed, 25 Mar 2009 01:07:39 +0100 Received: (qmail 15218 invoked from network); 25 Mar 2009 00:07:36 -0000 Received: from fbsd8.laiers.local (192.168.4.200) by router.laiers.local with SMTP; 25 Mar 2009 00:07:36 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 25 Mar 2009 01:07:35 +0100 User-Agent: KMail/1.11.0 (FreeBSD/8.0-CURRENT; KDE/4.2.1; i386; ; ) References: <49C96933.4030901@rojer.pp.ru> In-Reply-To: <49C96933.4030901@rojer.pp.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903250107.36160.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+LT5Q2wOv1nwzOeqj4ZF1oWHE7kL5gH0kg28l /L3j6LX5hvIdujNXffa4VxjG4UzCMehCpF5VBf94o3vk2LS8nj zhCTf/XfXypCkRhYciC/g== Cc: Deomid Ryabkov Subject: Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 00:07:42 -0000 On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > i have a machine with nc running through it. > with pf disabled, i see 960-970 mbit/s through it (as reported by systat > -ifstat). > just having pf enabled, with empty ruleset: > > # pfctl -vs nat > # pfctl -vs rules > # > > reduces throughput to about 700 mbit. > this seems wrong. any ideas why this might be happening? You have to search the (empty) ruleset for the (implicit) default "pass all" rule. This is somewhat expensive. Then there is the pf mutex (quite expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a single, global lock and thus reduces the opportunity for parallelism. > OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 > > thanks. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News