Flowtables -- any tuning hints?

[Kip Macy]

>
> This is interesting functionality, but I think we need to look at it a bit
> closer for our use case. Is there any benefit in running this in a firewall
> scenario? That's primarily what Scott and I (pfsense) are interested in. In
> our world, if you're pushing 50Kpps+, you're almost certainly falling into
> the "small ISP doing IP forwarding" scenario with hundreds of thousands of
> unique destinations. Where we usually see these kinds of loads are small
> ISPs, web hosting companies, or universities (which are functionally not
> much diff from a small ISP), all of which I'm familiar with falling into the
> "better off disabling" category. I also suspect pf's locking negates some or
> all of the benefits here.

If you lack any locality, i.e. within a 30 second window most of of
the recipients are distinct, then it is not likely to be beneficial. I
encourage you to test with and without.


> I suspect it's not applicable to the specific workload our users normally
> have, where you're almost entirely doing IP forwarding, and initiating very
> little if any traffic. bz@ said it's not something you want on a router. Is
> that a fair assessment?

Probably. As I say, please test with vs. without. Odds are you are
correct that even with locality the contention in PF will mask any
benefit.


Thanks,
Kip