Res: Res: Dropped Packets
Bill Marquette
bill.marquette at gmail.com
Sun Mar 9 15:17:38 UTC 2008
On Fri, Mar 7, 2008 at 4:40 PM, Lorenz Helleis
<lorenzhelleis at yahoo.com.br> wrote:
> This is an internal firewall... I think the entry in the table session is desapearing, so the client needs to make > another conection. I´m thinking about create a stateless rule.
I suspect this will only decrease your packet rates. From what I
understand, state table lookups are MUCH cheaper than rule table
lookups. Also, the congestion count increases (from memory) when the
nic can't send packets, you might look at increasing then
net.inet.ip.intr_queue_maxlen sysctl if net.inet.ip.intr_queue_drops
is showing a non-zero value (which it likely is if you are pushing
400kpps w/out increasing the queue).
BTW, what version of FreeBSD, I didn't see it already mentioned in the thread.
--Bill
More information about the freebsd-pf
mailing list