Date: Sun, 14 Oct 2007 18:24:02 -0500 From: "Matthew Franz" <mdfranz@gmail.com> To: "Michael Conlen" <m@obmail.net> Cc: freebsd-pf@freebsd.org Subject: Re: PF in FreeBSD 5.3 versus 6.x Message-ID: <33acb3db0710141624g3647ddaasf720b78c3df4a208@mail.gmail.com> In-Reply-To: <DD7C3199-BA7A-4845-B03E-DC3D5A83F356@obmail.net> References: <DD7C3199-BA7A-4845-B03E-DC3D5A83F356@obmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
HI Michael, You don't say whether you are running pfsync because Bill Marquette (who I work with) and Max have been discussing a pretty nasty pfsync bug (on 6.2) on this list under high loads (probably starting where you are at in terms of pps throughput but going up to 70-90kpps) where the backup is unable to clear states and there is eventually a huge discrepancy between the master and the backup. If you are seeing this with a single box. Its on my list to try to reproduce this in the lab (and test some of the patches Max has developed) with smartbits but I still haven't had time. We are definitely seeing some PF losing state entries, but sort of assumed this was a pfsync issue (or an effect thereof) but if you are seeing this without pfsync, that would point to so more fundamental problems with PF under high load. I can also share so more specific stats offline if that would be helpful. - mdf On 10/9/07, Michael Conlen <m@obmail.net> wrote: > I've noticed at some point between 5.3 and 6.0 that PF seems to be > dropping more packets than with 5.3 and there is increased deviation > in latency. Using the same equipment handling about 25k PPS each way > I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1% > loss with FreeBSD 5.3. Similarly the worst case response times for > ICMP packets is much less in 5.3 than in either version of 6. > > I'm using something pretty vanilla in terms of setup. No ALTQ support > or features, no redirects, just a lot of blocking and allowing. The > firewalls are using server class 3Com and Intel Gigabit (Fiber) > cards. The changes were noticed going forward and undone by going > back to FreeBSD 5.3 so I don't suspect physical problems at the moment. > > My pf.conf is essentially a block in all followed by a block in quick > against a table with 2000 entries, many of the /24 or /16 followed by > pass rules to the various host:ports we allow. > > If I login to the firewalls themselves and run mtr in each direction > I don't see any traffic loss. It's only when crossing the firewalls. > > Usage is about 25k packets per second and 100Mbit/sec 5 minute max > traffic. The switches are Foundry SI-800g. > > Also doing about 25k/sec searches with 400 inserts a second and 270 > removals and 407 matches/sec. The state table seems to run about > 70,000 to 90,000 > > Are there issues I should be aware of and should pf be able to handle > this kind of load? > > -- > Michael Conlen > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Matthew Franz http://www.threatmind.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33acb3db0710141624g3647ddaasf720b78c3df4a208>