Date: Tue, 27 Dec 2011 15:26:00 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Pawel Tyll <ptyll@nitronet.pl> Cc: freebsd-ipfw@freebsd.org, "Alexander V. Chernikov" <melifaro@freebsd.org>, freebsd-net@freebsd.org Subject: Re: Firewall Profiling. Message-ID: <20111227142600.GA65456@onelab2.iet.unipi.it> In-Reply-To: <623366116.20111227150047@nitronet.pl> References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <623366116.20111227150047@nitronet.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 27, 2011 at 03:00:47PM +0100, Pawel Tyll wrote: > > IPFW seems to add more or less constant overhead per rule. In our setup, > > ~20 rules increase load by 100% (one core). We are able to reach 10GE > > (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. > > However, even with ipfw add 1 allow ip from any to any > > 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in > > rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. > Does this include jumbo-frames? 1.1 mpps is far from 10gbit with > standard Internet 1500-byte traffic, unless you meant 11.1 mpps :) a 1500-byte frame is 12k bits so you need 830 Kpps to saturate the 10G link in one direction (and say another 450 Kpps as acks in the other direction). I reported the performance of ipfw+dummynet http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf on a 2.3GHz box and 800MHz RAM. The E5645 mentioned in the original msg is probably 2x faster than my test machine. > Are there any plans or hopes for efficiency increase? Something like > netmap? (http://info.iet.unipi.it/~luigi/netmap/) plans, yes - not sure how long it will take. I have compiled ipfw+dummynet as a standalone module (outside the kernel) but have not yet hooked the code to netmap to figure out how fast it can run. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111227142600.GA65456>