ipfw verrevpath performance broken in 9.2

Denis V. Klimkov falcon at tcm.by
Fri Dec 27 14:15:36 UTC 2013 

Hello Freebsd-net,

Recently upgraded router system from 9.0-RELEASE to 9.2-STABLE and
got 100% CPU utilisation on all cores with interrupts under the same
load that had about 25-30% CPU utilisation before. Of course that lead
to high latency (about 400 ms and packet loss).
Load reduced immediately after I removed all ipfw antispoofing rules with
"verrevpath":
11010       3659429        430047150 deny ip from any to any not verrevpath in via vlan6
11020        719931         58619220 deny ip from any to any not verrevpath in via vlan7                                                                                          
11025         68141          5144481 deny ip from any to any not verrevpath in via vlan8                                                                                          
11030        202144          6785732 deny ip from any to any not verrevpath in via vlan9                                                                                          
11040        171291         56196945 deny ip from any to any not verrevpath in via vlan10                                                                                         
11045     291914032      39427773226 deny ip from any to any not verrevpath in via vlan11                                                                                         
11060       6102962        441745213 deny ip from any to any not verrevpath in via vlan15                                                                                         
11070       4832442       1259880158 deny ip from any to any not verrevpath in via vlan16                                                                                         
11080        814769         95745079 deny ip from any to any not verrevpath in via vlan17                                                                                         
11101       2901098        628552748 deny ip from any to any not verrevpath in via vlan26                                                                                         
11102       1264750        146468688 deny ip from any to any not verrevpath in via vlan27                                                                                         
11110        902441        294155831 deny ip from any to any not verrevpath in via vlan21                                                                                         
11120        628324         31060933 deny ip from any to any not verrevpath in via vlan23                                                                                         
11130          1381            83245 deny ip from any to any not verrevpath in via vlan24                                                                                         
11138       4258607       3389925416 deny ip from any to any not verrevpath in via vlan31                                                                                         
11150            56             2792 deny ip from any to any not verrevpath in via vlan40

Is there a way to fix verrevpath performance issue in 9.2 and futher?
There is no problem to remove this rules on this system, but I also
have 2 systems running MPD with about 2000 PPPoE ng interfaces with
very handy ipfw rule "deny ip from any to any not verrevpath in via
ng*".

--- 
Denis V. Klimkov

_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list