Blocking udp flood trafiic using pf, hints welcome
Jeremy Chadwick
koitsu at FreeBSD.org
Mon Nov 10 01:31:43 PST 2008
On Sun, Nov 09, 2008 at 05:47:54PM +0000, Peter Maxwell wrote:
> ii) Ensure you're using a good NIC, the CPU offload abilities in Intel
> (and I think Broadcom) cards can reduce the impact on CPU generally.
I think (hope) what you're referring to are TSO, LRO, and TX/RX checksum
offloading.
Assuming you are, you should be aware of the following:
* These features do not greatly reduce CPU usage; the impact is minimal.
* Both TSO and TX/RX checksums are known to be buggy on many NICs,
including some developed within the past year. I can refer you to many
threads on -hardware, -current, and -stable discussing this fact,
specifically from the driver authors themselves. Sometimes it's just
rxcsum which is buggy, or just txcsum. I do not believe Broadcom or
Intel NICs are affected by such issues, but regardless it's important
users understand these features *can* lead to packet corruption on some
NICs.
* TX/RX checksum offloading often confuse users who use tcpdump or
Wireshark -- "why are all of my packets showing checksum errors??!"
being a common question even today. It often leads users on a wild
goose chase, thinking those messages indicate the source of their
problems
If you weren't referring to these features, what were you referring to?
I'm curious to know.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list