is polling still a thing?
Jim Thompson
jim at netgate.com
Tue Jan 27 18:03:20 UTC 2015
> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anarcat at koumbit.org> wrote:
>
> (Please CC, as i am not on the list.)
>
> I was surprised to read this article in the pfSense blog:
>
> https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115>
That article is from June 2007. It’s over seven years old. Times change.
> TLDR: "At this time, polling is not recommended at all.”
There are situations which warrant polling.
> Is that true? I am trying to tweak a Supermicro machine as a router to
> survive major DDOS attacks on a 1gbps link. So far, I can't get far
> beyond the 100kpps and 50mbps mark.
>
> The hardware is:
>
> * 2xIntel E1G44HTBLK NICs
Quad port i340 PCIe Nic (igb(4) driver)
> * 1xIntel 1220LV2 CPU
2 core Ivy Bridge @ 2.3GHz
> More detailed specs here:
>
> https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1.koumbit.net>
Says you’re running 9.3
The pf in 9.3 is single-threaded.
> We are using a stateful pf firewall and polling on the network
> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
> but around 400mbps reached our port from upstream's point of view. The
> kernel interfaces counted around 50mbps:
>
> https://redmine.koumbit.net/attachments/download/7706
> https://redmine.koumbit.net/attachments/download/7707
> https://redmine.koumbit.net/attachments/download/7708
> https://redmine.koumbit.net/attachments/download/7709 <https://redmine.koumbit.net/attachments/download/7709>
These want a login/password to access.
>
> The load on the router was fine during the DDOS, but of course packet
> loss was endemic.
>
> At this point, I'm considering the following options:
>
> * switching to an Intel IGB nic
You already have one.
> * enabling fastforwarding
typically a good idea.
> * tweak the number of IGB queues
>
> Any recommendations would be welcome.
Have you considered FreeBSD 10.1?
> Thanks!
>
> A.
>
> --
> feature, n: a documented bug | bug, n: an undocumented feature
> - Mario S F Ferreira <lioux at FreeBSD.org>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list