Date: Tue, 27 Dec 2011 15:36:28 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Pawel Tyll <ptyll@nitronet.pl> Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: Firewall Profiling. Message-ID: <4EF9ADBC.8090402@FreeBSD.org> In-Reply-To: <1498545030.20111227015431@nitronet.pl> References: <1498545030.20111227015431@nitronet.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27.12.2011 04:54, Pawel Tyll wrote: > Hi lists, > > Are there any profiling tools in the system or ports that would allow > me to determine how much processing is being done per packet and how > long does it take? I would like to predict possible PPS load for my > system and perhaps locate and remove some bottlenecks. > > Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces > without much latency increase, when running on modern hardware > with Intel NICs? Majority of processing tasks would probably be setfib > according to matches in tables. IPFW seems to add more or less constant overhead per rule. In our setup, ~20 rules increase load by 100% (one core). We are able to reach 10GE (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. However, even with ipfw add 1 allow ip from any to any 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. > > Pawel. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- WBR, Alexander
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EF9ADBC.8090402>