Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Sep 2013 00:19:33 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Luigi Rizzo <rizzo@iet.unipi.it>
Cc:        h bagade <bagadeh@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: impact of disabling firewall on performance?
Message-ID:  <20130918235331.R1460@sola.nimnet.asn.au>
In-Reply-To: <CA%2BhQ2%2Bh-2eEDHwAgBeO04yWn4SvcspOfujrZ1qBVPiN8syP90A@mail.gmail.com>
References:  <CAARSjE07M92tFmQkXPbN4_5b_eXseiYekZHkL=0b6UOK-qtixA@mail.gmail.com> <20130918175406.B1460@sola.nimnet.asn.au> <CA%2BhQ2%2Bh-2eEDHwAgBeO04yWn4SvcspOfujrZ1qBVPiN8syP90A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 18 Sep 2013 11:18:38 +0200, Luigi Rizzo wrote:
 > On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith <smithi@nimnet.asn.au> wrote:
 > 
 > > On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote:
 > >  > Hi all,
 > >  >
 > >  > I've heard that disabling firewall with commands or setting related
 > > sysctl
 > >  > parameter wouldn't increase performance and still firewalls participate
 > > in
 > >  > forwarding process. The only way to reach a better performance is making
 > >  > firewall modules to being loaded dynamically and thereafter unloading
 > >  > firewall modules!
 > >
 > > Where exactly did you hear that?
 > >
 > >  > I want to know is it right? and if so, why it should be like this?
 > >
 > > The difference between not invoking a firewall at all and invoking one
 > > with a single 'pass all' rule would be fairly difficult to measure per
 > > packet.  If your firewall is a bottleneck you likely have larger issues.
 > >
 > 
 > well...

:-) I almost added "though Luigi will have measured it to the ns/MHz"

 > unloading or disabling the firewall with a sysctl is likely
 > exactly the same in terms of performance -- it's just
 > something like
 > 
 >     if (firewall_loaded || firewall_enabled) {
 >          invoke_firewall(...);
 >     }

Not && ?

Either way, unloading the module/s couldn't gain any performance.

 > However, executing the firewall with a single pass rule consumes
 > some significant amount of time, see
 > http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf
 > (those numbers are from 2009 and i measured about 400ns;
 > recent measurements with ipfw-over-netmap on a fast i7
 > give about 100ns per packet).
 > 
 > This is definitely measurable.

Thanks for the spanking, and a second browsing of Dummynet Revisited.

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130918235331.R1460>