Firewall Profiling.
Luigi Rizzo
rizzo at iet.unipi.it
Wed Dec 28 10:04:19 UTC 2011
On Wed, Dec 28, 2011 at 10:26:44AM +0400, Lev Serebryakov wrote:
> Hello, Luigi.
> You wrote 27 ??????? 2011 ?., 18:26:00:
>
> > plans, yes - not sure how long it will take. I have compiled
> > ipfw+dummynet as a standalone module (outside the kernel)
> > but have not yet hooked the code to netmap to figure out how fast
> > it can run.
> I still don't understand why it should be faster than "normal" way,
> as it is essentially same (ipfw + dummynet) code + some additional
> context switches for netmap (to userland and back).
> What does netmap shave off from packet processing in this particular
> case, to compensate context switches? I
if you get called with reasonably large batches (10..50 packets,
as it may well happen if you have any sort of interrupt mitigation),
the context switch cost is amortised over the batch, so you shouldn't
see much of it.
If all the traffic goes to the local host you can't save anything.
But if you manage to do the forwarding (so it's not just ipfw but
also ip_fastforward) within the netmap layer, you save the recycling
of mbufs (which is expensive), and also the code can be slightly
optimized because packets have a single format, are contiguous, and
carry almost no metadata.
but definitely, the gains need to be measured and i have
no such numbers so far.
cheers
luigi
More information about the freebsd-net
mailing list