From owner-freebsd-net@FreeBSD.ORG Wed Sep 18 14:27:10 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A5FDF73F for ; Wed, 18 Sep 2013 14:27:10 +0000 (UTC) (envelope-from rizzo.unipi@gmail.com) Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1AE2D2DC4 for ; Wed, 18 Sep 2013 14:27:09 +0000 (UTC) Received: by mail-lb0-f178.google.com with SMTP id z5so6618503lbh.23 for ; Wed, 18 Sep 2013 07:27:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GSZGA1V5FD0fIEYZqQYLlSpgg8jpC1tCS51fTcJmyL4=; b=sdFDusFim2oMlW+banC3+HiOVVMimBO7uM9hFByI+65UMqQysmgHnLzs1y9LThzbG5 HA5r6oFSVLX/G+8amLbrUy/a0EpamUc9YVlULtAjT7c9NaWJ9+VQfM5glUmZ6gBrIxwB lJ+zWoGuNHnHO30lfffd3GR6ccMWvMTFxfIUVis07548fdD8dTYifRCFlIUjb8QNVCTC YgSAq4sXHSYvbNmBisCApZ0i0OxM16tJdzkB2PLZORWPyEz9t7y0xT7+QCX+xziWA93f iaq0bKVvpxownONl+hu0jzZkOFzWvedExM7VXDehvoU3v5b5lqlKniiLX1Kk0CEgs7X9 u9pA== MIME-Version: 1.0 X-Received: by 10.112.40.110 with SMTP id w14mr1669164lbk.42.1379514428020; Wed, 18 Sep 2013 07:27:08 -0700 (PDT) Sender: rizzo.unipi@gmail.com Received: by 10.114.200.165 with HTTP; Wed, 18 Sep 2013 07:27:07 -0700 (PDT) In-Reply-To: <20130918235331.R1460@sola.nimnet.asn.au> References: <20130918175406.B1460@sola.nimnet.asn.au> <20130918235331.R1460@sola.nimnet.asn.au> Date: Wed, 18 Sep 2013 16:27:07 +0200 X-Google-Sender-Auth: to7LfhyLRO-cFY2lHr2DnKLeEkk Message-ID: Subject: Re: impact of disabling firewall on performance? From: Luigi Rizzo To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: h bagade , "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Sep 2013 14:27:10 -0000 On Wed, Sep 18, 2013 at 4:19 PM, Ian Smith wrote: > On Wed, 18 Sep 2013 11:18:38 +0200, Luigi Rizzo wrote: > > > unloading or disabling the firewall with a sysctl is likely > > exactly the same in terms of performance -- it's just > > something like > > > > if (firewall_loaded || firewall_enabled) { > > invoke_firewall(...); > > } > > > Not && ? > you are correct. thanks for the spanking, too :) (i sent the email at 4am and i will be surprised if this is the only mistake in my message... cheers luigi > > Either way, unloading the module/s couldn't gain any performance. > > > However, executing the firewall with a single pass rule consumes > > some significant amount of time, see > > http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf > > (those numbers are from 2009 and i measured about 400ns; > > recent measurements with ipfw-over-netmap on a fast i7 > > give about 100ns per packet). > > > > This is definitely measurable. > > Thanks for the spanking, and a second browsing of Dummynet Revisited. > > cheers, Ian > -- -----------------------------------------+------------------------------- Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL +39-050-2211611 . via Diotisalvi 2 Mobile +39-338-6809875 . 56122 PISA (Italy) -----------------------------------------+-------------------------------