ipfw verrevpath performance broken in 9.2

Alexander V. Chernikov melifaro at FreeBSD.org
Fri Dec 27 10:27:54 UTC 2013 

On 27.12.2013 10:34, Denis V. Klimkov wrote:
> Hello Freebsd-net,
Hi!
>
> Recently upgraded router system from 9.0-RELEASE to 9.2-STABLE and
> got 100% CPU utilisation on all cores with interrupts under the same
> load that had about 25-30% CPU utilisation before. Of course that lead
Looks interesting.
Are you sure all other configs/data load are the same?

I'm particularly interested in changes in: number of NIC queues, their 
bindings and firewall ruleset.

Can you share your traffic rate (e.g. netstat -i -w1), cpu info and NIC 
info?

What does system load (without verrevpath) looks like in comparison with 
9.0 (in terms of CPU _and_ packets/sec) ?
> to high latency (about 400 ms and packet loss).
> Load reduced immediately after I removed all ipfw antispoofing rules with
> "verrevpath":
> 11010       3659429        430047150 deny ip from any to any not verrevpath in via vlan6
> 11020        719931         58619220 deny ip from any to any not verrevpath in via vlan7
> 11025         68141          5144481 deny ip from any to any not verrevpath in via vlan8
> 11030        202144          6785732 deny ip from any to any not verrevpath in via vlan9
> 11040        171291         56196945 deny ip from any to any not verrevpath in via vlan10
> 11045     291914032      39427773226 deny ip from any to any not verrevpath in via vlan11
> 11060       6102962        441745213 deny ip from any to any not verrevpath in via vlan15
> 11070       4832442       1259880158 deny ip from any to any not verrevpath in via vlan16
> 11080        814769         95745079 deny ip from any to any not verrevpath in via vlan17
> 11101       2901098        628552748 deny ip from any to any not verrevpath in via vlan26
> 11102       1264750        146468688 deny ip from any to any not verrevpath in via vlan27
> 11110        902441        294155831 deny ip from any to any not verrevpath in via vlan21
> 11120        628324         31060933 deny ip from any to any not verrevpath in via vlan23
> 11130          1381            83245 deny ip from any to any not verrevpath in via vlan24
> 11138       4258607       3389925416 deny ip from any to any not verrevpath in via vlan31
> 11150            56             2792 deny ip from any to any not verrevpath in via vlan40
>
> Is there a way to fix verrevpath performance issue in 9.2 and futher?
> There is no problem to remove this rules on this system, but I also
> have 2 systems running MPD with about 2000 PPPoE ng interfaces with
> very handy ipfw rule "deny ip from any to any not verrevpath in via
There were no changes related to verrevpath directly, but there were 
some related to generic
netgraph/lookup performance.

I've got some idea about what can be happening here, but I need your 
numbers/other info first.

> ng*".
>
> ---
> Denis V. Klimkov
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list