8.0 network problem

Roland Smith rsmith at xs4all.nl
Tue Jul 6 21:28:33 UTC 2010 

On Tue, Jul 06, 2010 at 01:32:22PM -0700, Jeremy Chadwick wrote:
> Back to the problem at hand:
> 
> I wonder if it's lack of "quick" on some rules which is causing the
> problem; hard to say, 

That would stop evaluation of further rules, sure. But it seems most of the
rules concern the external interface.

_Assuming_ that the samba clients are on the internal interface, it would make
sense to put the few rules concerning that interface as early as possible in
the list of filter rules, and indeed add the quick keyword.

Alternatively, one could consider adding this interface to the list of skipped
interfaces. This would at least be useful for testing purposes, since it would
preclude pf from processing packages on this interface. If this fixes the
problem, there is some problem in the ruleset.

> and I'm not sure how to "benchmark" pf.

Looking at the output of 'pfctl -vvs rules' would be a start, I think. If the
rules that are matched most are at the end of the filter rules, all previous
rules are evaluated, AFAIK. For more info try 'pfctl -vvs all'.

In the past I found it useful to set up a point-to-point connection between
two FreeBSD machines, and then do some throughput measusrements using
e.g. nc(1). Start with pf disabled, then enhance the ruleset rule-by-rule and
see if performance is influenced. A couple of years ago I did this, and IIRC
the largest influence I could find was the type of ethernet adapter
used. Can't find any notes from that experiment but I could repeat it if is
deemed interesting.

> Furthermore, remember that the OP can move to another NIC and the
> problem goes away[1].  I know there have been issues in the past
> reported with em(4) and pf ALTQ, but that isn't in use here.

There are lots of other crappy ethernet adapters out there. E.g. re(4) and
rl(4) tend to suck in my experience. Of course if the hardware was changed but
not the relevant filter rules, it would default to "pass". :-)

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20100706/85f2c20d/attachment.pgp

More information about the freebsd-stable mailing list