Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Mar 2006 12:44:09 -0500
From:      Kris Kennaway <kris@obsecurity.org>
To:        Bohuslav Plucinsky <bohuslav.plucinsky@in.nextra.sk>
Cc:        freebsd-net@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: Low network performance after upgrade from FreeBSD 4.8 to 6.0
Message-ID:  <20060320174409.GA72825@xor.obsecurity.org>
In-Reply-To: <20060320131020.GI20138@in.nextra.sk>
References:  <20060320131020.GI20138@in.nextra.sk>
next in thread | previous in thread | raw e-mail | index | archive | help 

--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 20, 2006 at 02:10:20PM +0100, Bohuslav Plucinsky wrote:

> The "top" utility shows 100% CPU load:

What about top -S to show the kernel threads (since that's what's
using 90% of your CPU)?

> last pid:   771;  load averages:  0.25,  0.06,  0.02                     =
                                              up 0+00:24:30  14:08:32
> 27 processes:  2 running, 25 sleeping
> CPU states:  8.8% user,  0.0% nice, 59.6% system, 31.6% interrupt,  0.0% =
idle
> Mem: 16M Active, 4752K Inact, 11M Wired, 8144K Buf, 22M Free
> Swap: 500M Total, 500M Free
>=20
>   PID USERNAME  THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
>   229 root        1 105    0  1428K   904K RUN      0:35 40.82% natd

> options		MROUTING		# Multicast routing

Do you actually use this?

> options         IPFIREWALL              #firewall
> options         IPFIREWALL_VERBOSE      #print information about dropped =
packets
> options         IPFIREWALL_FORWARD      #enable transparent proxy support
> options         IPFIREWALL_FORWARD_EXTENDED     #all packet dest changes
> options         IPSTEALTH               #support for stealth forwarding
> options		IPDIVERT		#divert sockets
> options		TCPDEBUG
> options 	IPSEC_DEBUG		#debug for IP security

Why do you define the DEBUG settings?  They'll only slow you down, but
it's probably not the main reason.

> options		DUMMYNET
> options 	TCP_DROP_SYNFIN		#drop TCP packets with SYN+FIN
> options 	INCLUDE_CONFIG_FILE     # Include this file in kernel
> options 	IPSEC			#IP security
> options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)

Better to use fast ipsec unless you have a need for ipv6.

Kris
--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEHunoWry0BWjoQKURAh/QAJ9gQ75cJtVYKT32JWNGFp3QPZ5avQCeKN93
z7V8NsEPmJ0cYOsOXdkWTCw=
=4d52
-----END PGP SIGNATURE-----

--VbJkn9YxBvnuCH5J--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060320174409.GA72825>