[patch] gsoc project: improving layer2 filtering

Gleb Kurtsou gleb.kurtsou at gmail.com
Tue Sep 9 16:44:31 UTC 2008


On (09/09/2008 17:39), Ermal Luçi wrote:
> On Mon, Sep 8, 2008 at 9:30 PM, Gleb Kurtsou <gleb.kurtsou at gmail.com> wrote:
> > This summer I was working on improving layer2 filtering (my mentor is
> > Andrew Thompson) as a google summer of code project.  The project was
> > successfully completed.
[...]
> Have you done any measurment on the overhead of this?
> Adding tags to every packet passing might buy some overhead taking in
> consideration that pf(4) already does this means double overhead for
> each packet is it worth unifying this tags for filter case?!
No real numbers so far. I did some benchmarking on macfw mac-ip firewall
I've developed back in 2006 (should be in net@ archives). macfw itself
was to hackish and to simple and also allocated mtag for every packet. I
did the tests on pentium2 and pentium3 class machines with 64-256 mb of
ram used as routers in 700 host ethernet network. CPU never was a
bottleneck, but I've lost the results anyway.

And because of performance considerations l2tag interface flag was
added, so you mtags are allocated only for packets on desired interface. 

Using mtag is the right way to do it, imho. Considering unification, I
think we are trying to solve not the reason of the problem but its
consequence -- mbuf allocation should be made cheap, instead of unifying
unrelated mtags. Optimization pf did some time ago (not sure it's in
FreeBSD tree), by adding pf fields into mbuf header, is not a solution
too, components become more tightly coupled. In case there is an idea on
how to speed up mtag allocation I'd like to work on it.

> How about adding to the tags even some other parameters like vlan or
> COS value when present so one can do some tricks on vlan case or at
> least shape on COS value?
> 
> Otherwise path seems ok at first glance and am going to try out soon.
> 
> -- 
> Ermal


More information about the freebsd-net mailing list