pf performance?

[Gleb Smirnoff]

  Erich,

On Tue, Apr 23, 2013 at 12:49:21PM -0700, Erich Weiler wrote:
E> I have a question here about how FreeBSD (8.1-RELEASE-p13 specifically) 
E> behaves when acting as a firewall.  I understand the pf process is 
E> "giant locked" to a single CPU core when inspecting packets inbound and 
E> outbound.  I was wondering, how does that manifest when I look at "top 
E> -P" on the firewall?

The pf isn't a process, so you can't see it in top. pf has some helper
threads however, but packet processing isn't performed by any of them.

The pf is kind of a library in kernel. The packets are processed by
NIC interrupt handler threads, and these threads enter the library
to perform packet filtering. Since in FreeBSD 8 this library is
covered by a single lock (it isn't the Giant, but it is kind of
"local pf giant"), processing is serialized - threads enter the
library one by one, and they are blocked on enter in case if other
thread already works inside.

In FreeBSD 10 pf is no longer under single lock. On your hardware,
I'd expect a measurable performance gain if you migrate to 10.

-- 
Totus tuus, Glebius.