Firewall Profiling.
Alexander V. Chernikov
melifaro at FreeBSD.org
Tue Dec 27 22:05:06 UTC 2011
Mike Tancsa wrote:
> On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote:
>>> Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces
>>> without much latency increase, when running on modern hardware
>>> with Intel NICs? Majority of processing tasks would probably be setfib
>>> according to matches in tables.
>> IPFW seems to add more or less constant overhead per rule. In our setup,
>> ~20 rules increase load by 100% (one core). We are able to reach 10GE
>> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules.
>> However, even with ipfw add 1 allow ip from any to any
>> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
>> rtable only). YMMV, but 2x10G is too much at the moment even without ipfw.
>
>
> Dont some of the modern 10G adapters support filtering in the card
> itself ? eg cxgbe.
We're using Intel 8259X, it supports hardware filtering (flow director
and some other specific things like DCB) but:
1) Flow director is currently not supported (on FreeBSD)
2) There is no ipfw opcode compiler (however it seems that it's not too
hard to write one)..
3) If ruleset is more or less optimized firewall is not the main CPU
consumer.
>
> ---Mike
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20111227/8f000c61/signature.pgp
More information about the freebsd-net
mailing list