Date: Fri, 27 Dec 2013 09:34:16 +0300 From: "Denis V. Klimkov" <falcon@tcm.by> To: freebsd-net@freebsd.org Subject: ipfw verrevpath performance broken in 9.2 Message-ID: <21356442.20131227093416@tcm.by>
next in thread | raw e-mail | index | archive | help
Hello Freebsd-net, Recently upgraded router system from 9.0-RELEASE to 9.2-STABLE and got 100% CPU utilisation on all cores with interrupts under the same load that had about 25-30% CPU utilisation before. Of course that lead to high latency (about 400 ms and packet loss). Load reduced immediately after I removed all ipfw antispoofing rules with "verrevpath": 11010 3659429 430047150 deny ip from any to any not verrevpath in via vlan6 11020 719931 58619220 deny ip from any to any not verrevpath in via vlan7 11025 68141 5144481 deny ip from any to any not verrevpath in via vlan8 11030 202144 6785732 deny ip from any to any not verrevpath in via vlan9 11040 171291 56196945 deny ip from any to any not verrevpath in via vlan10 11045 291914032 39427773226 deny ip from any to any not verrevpath in via vlan11 11060 6102962 441745213 deny ip from any to any not verrevpath in via vlan15 11070 4832442 1259880158 deny ip from any to any not verrevpath in via vlan16 11080 814769 95745079 deny ip from any to any not verrevpath in via vlan17 11101 2901098 628552748 deny ip from any to any not verrevpath in via vlan26 11102 1264750 146468688 deny ip from any to any not verrevpath in via vlan27 11110 902441 294155831 deny ip from any to any not verrevpath in via vlan21 11120 628324 31060933 deny ip from any to any not verrevpath in via vlan23 11130 1381 83245 deny ip from any to any not verrevpath in via vlan24 11138 4258607 3389925416 deny ip from any to any not verrevpath in via vlan31 11150 56 2792 deny ip from any to any not verrevpath in via vlan40 Is there a way to fix verrevpath performance issue in 9.2 and futher? There is no problem to remove this rules on this system, but I also have 2 systems running MPD with about 2000 PPPoE ng interfaces with very handy ipfw rule "deny ip from any to any not verrevpath in via ng*". --- Denis V. Klimkov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21356442.20131227093416>