PF makes em0 taskq to eat 100% CPU
Stefan Lambrev
stefan.lambrev at moneybookers.com
Thu Jan 24 07:56:24 PST 2008
Hello,
I'm doing some tests and benchmarks and I'm testing pf on bridge firewall.
One of the specific tests is how PF will handle SYN flood from random
source addresses.
While the bridge is w/o activated PF, I see 12-14MB/s traffic.
When I enable the PF the traffic drops to 2-5MB/s and I'm starting to
see lost packets.
Here is what top -S shows when PF is not active:
25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0
taskq - only 26% CPU used
but when I enable PF it (em0 taskq) goes up to 100% and packets are lost.
Here is the pf.conf used for tests:
#macros
ext_if="em0"
int_if="em1"
br_if="bridge0"
www="10.3.3.1"
#sets
set skip on lo0
set skip on $int_if
set skip on $br_if
set limit states 20000000
set limit src-nodes 15000
set optimization aggressive
table <abusive_hosts> persist file "/etc/abusive_hosts"
block log quick from <abusive_hosts> to any
block log quick from any to <abusive_hosts>
pass in quick on $ext_if proto tcp from any to $www port { 80, 443 }
flags S/SA keep state \
(source-track rule, max-src-conn-rate 150/10, max-src-states 250,
overload <abusive_hosts> flush global)
The number of states that I reach is little more then 2,000,000.
(20,000,000 is the limit that I enforce)
FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule
Please advise.
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
More information about the freebsd-pf
mailing list