increasing em(4) buffer sizes
rihad
rihad at mail.ru
Thu May 20 04:38:44 UTC 2010
On 05/20/2010 08:54 AM, Sriram Gorti wrote:
> Hi,
>
> I'm new to FreeBSD but there is one aspect of your description (thanks
> for the detail) on which I had a comment that I thought can be shared.
>
> > To mitigate the problem I've set up a two-level hash by means of
> skipto rules, dropping the number of up to several thousand rules to be
> searched for each packet to a mere 85 max, but the rate of Ierrs has
> only increased to 40-50K per hour,
>
> Not exactly sure what kind of rules are in a firewall and what kind of
> searcher your have. If you have a software searcher, it is not just the
Not really, it's the lookup done by the OS for each outgoing packet (in
my case). FreeBSD does so by walking the ruleset one by one, starting
from the first rule. It does take some time if the number of rules to be
walked is high. How do I know it's the firewall causing the drops: if I
short circuit this process by adding "allow ip from any to any" as the
first rule, all Ierrs disappear.
> number of rules but the "kind" of rules can also make a big difference.
> For example, most searchers become slower with regex intensive rules and
> if some such rules in your original set were retained in the reduced set
> of 85, then the drop will continue. However, why have the drops
> increased - good question. One remote guess is that it can depend on the
> behavior of the searcher - does it stop searching on the rest of the
> rules if a rule is found. If this is the case, then it is again possible
> that the set of 85 does not match most of the time causing more work for
> the searcher.
>
> All the best for your investigations,
>
Thank you!
> regards,
> Sriram
>
More information about the freebsd-net
mailing list