Res: Res: Dropped Packets

Bill Marquette bill.marquette at gmail.com
Sun Mar 9 15:17:38 UTC 2008


On Fri, Mar 7, 2008 at 4:40 PM, Lorenz Helleis
<lorenzhelleis at yahoo.com.br> wrote:
>  This is an internal firewall...  I think the entry in the table session is desapearing, so the client needs to make > another conection.  I´m thinking about create a stateless rule.

I suspect this will only decrease your packet rates.  From what I
understand, state table lookups are MUCH cheaper than rule table
lookups.  Also, the congestion count increases (from memory) when the
nic can't send packets, you might look at increasing then
net.inet.ip.intr_queue_maxlen sysctl if net.inet.ip.intr_queue_drops
is showing a non-zero value (which it likely is if you are pushing
400kpps w/out increasing the queue).

BTW, what version of FreeBSD, I didn't see it already mentioned in the thread.

--Bill


More information about the freebsd-pf mailing list