pf performance?
Adrian Chadd
adrian at freebsd.org
Thu Apr 25 18:31:54 UTC 2013
... please ask the pfsense guys to either migrate to -9, or backport
the -head pf (with the locking fixes!) to -8 for that.
Otherwise you're very likely going to be wasting time on something you
can't really push that much harder.
ADrian
On 25 April 2013 11:24, Erich Weiler <weiler at soe.ucsc.edu> wrote:
>> As far as I understand, processing of packets by pf takes place in
>> receiving
>> network card's interrupt handler even up to sending the packet via another
>> network card (at least in my case, when using route-to targets, which make
>> routing inside pf).
>
>
> That's interesting. So even though pf is giant locked, you can still scale
> the maximum capacity of your firewall, in this case, simply by adding more
> CPU cores? To handle the extra interrupts? So more cores = more packets
> per second, if you give each extra core an additional interrupt queue?
>
>
>> How do you count the 140kpps value? One interface, both, in, out? I'd like
>> to
>> relate this somehow to my values.
>
>
> Well, generally we see 80kpps rx and 40kpps tx. But I have seen the rx
> spike to 150kpps occasionally. This is a pfSense box, which includes RRD
> graphs of packet rates, that's how I'm getting the number. I'm not sure how
> they are obtaining that metric under the hood. But we have not disabled HT
> and some other items, so that number will change is my guess. We also may
> add another CPU die to the mix to see if we can add interrupt queues to more
> cores to increase performance.
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list