PF makes em0 taskq to eat 100% CPU

Stefan Lambrev stefan.lambrev at moneybookers.com
Thu Jan 24 09:37:29 PST 2008 


Abdullah Ibn Hamad Al-Marri wrote:
> ----- Original Message ----
>   
>> From: Stefan Lambrev <stefan.lambrev at moneybookers.com>
>> To: freebsd-pf at freebsd.org
>> Sent: Thursday, January 24, 2008 6:39:41 PM
>> Subject: PF makes em0 taskq to eat 100% CPU
>>
>> Hello,
>>
>> I'm doing some tests and benchmarks and I'm testing pf on
>> bridge
>>
>>     
>  firewall.
>   
>> One of the specific tests is how PF will handle SYN flood from random 
>> source addresses.
>> While the bridge is w/o activated PF, I see 12-14MB/s traffic.
>> When I enable the PF the traffic drops to 2-5MB/s and I'm starting to 
>> see lost packets.
>>
>> Here is what top -S shows when PF is not active:
>>    25 root        1 -68    -     0K    16K -      1  34:45 26.37% em0 
>> taskq - only 26% CPU used
>>
>> but when I enable PF it (em0 taskq) goes up to 100% and packets
>> are
>>
>>     
>  lost.
>   
>> Here is the pf.conf used for tests:
>>
>> #macros
>> ext_if="em0"
>> int_if="em1"
>> br_if="bridge0"
>>
>> www="10.3.3.1"
>>
>> #sets
>> set skip on lo0
>> set skip on $int_if
>> set skip on $br_if
>> set limit states 20000000
>> set limit src-nodes 15000
>> set optimization aggressive
>>
>> table  persist file "/etc/abusive_hosts"
>>
>> block log quick from  to any
>> block log quick from any to 
>>
>> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } 
>> flags S/SA keep state \
>> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, 
>> overload  flush global)
>>
>> The number of states that I reach is little more then 2,000,000. 
>> (20,000,000 is the limit that I enforce)
>> FreeBSD 7.0-RC1-  Thu Jan 24 - amd64 - sched_ule
>>
>> Please advise.
>>
>> -- 
>>
>> Best Wishes,
>> Stefan Lambrev
>> ICQ# 24134177
>>
>>     
>
> Hello Stefan,
>
> What version of FreeBSD do you use and what arch? what is your CPU spec and what ram?
>   

FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) 
X3220 2.4 GHz - quad core, 2GB RAM
I increased kern.ipc.nmbclusters=262144
I find device polling quite helpful here - at least the CPUs are idle.
>
>  
> Regards, 
> -Abdullah Ibn Hamad Al-Marri
> Arab Portal
> http://www.WeArab.Net/
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
>   

-- 

Best Wishes,
Stefan Lambrev
ICQ# 24134177

More information about the freebsd-pf mailing list