is polling still a thing?

Jim Thompson jim at netgate.com
Tue Jan 27 18:03:20 UTC 2015 



> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anarcat at koumbit.org> wrote:
> 
> (Please CC, as i am not on the list.)
> 
> I was surprised to read this article in the pfSense blog:
> 
> https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115>

That article is from June 2007.  It’s over seven years old.  Times change.


> TLDR: "At this time, polling is not recommended at all.”

There are situations which warrant polling.

> Is that true? I am trying to tweak a Supermicro machine as a router to
> survive major DDOS attacks on a 1gbps link. So far, I can't get far
> beyond the 100kpps and 50mbps mark.
> 
> The hardware is:
> 
> * 2xIntel E1G44HTBLK NICs

Quad port i340 PCIe Nic (igb(4) driver)

> * 1xIntel 1220LV2 CPU

2 core Ivy Bridge @ 2.3GHz

> More detailed specs here:
> 
> https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1.koumbit.net>

Says you’re running 9.3

The pf in 9.3 is single-threaded.

> We are using a stateful pf firewall and polling on the network
> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
> but around 400mbps reached our port from upstream's point of view. The
> kernel interfaces counted around 50mbps:
> 
> https://redmine.koumbit.net/attachments/download/7706
> https://redmine.koumbit.net/attachments/download/7707
> https://redmine.koumbit.net/attachments/download/7708
> https://redmine.koumbit.net/attachments/download/7709 <https://redmine.koumbit.net/attachments/download/7709>

These want a login/password to access.

> 
> The load on the router was fine during the DDOS, but of course packet
> loss was endemic.
> 
> At this point, I'm considering the following options:
> 
> * switching to an Intel IGB nic
You already have one.

> * enabling fastforwarding
typically a good idea.

> * tweak the number of IGB queues
> 
> Any recommendations would be welcome.

Have you considered FreeBSD 10.1?

> Thanks!
> 
> A.
> 
> -- 
> feature, n: a documented bug | bug, n: an undocumented feature
>                        - Mario S F Ferreira <lioux at FreeBSD.org>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list