PF in FreeBSD 5.3 versus 6.x

Michael Conlen m at
Tue Oct 9 12:47:25 PDT 2007

I've noticed at some point between 5.3 and 6.0 that PF seems to be  
dropping more packets than with 5.3 and there is increased deviation  
in latency. Using the same equipment handling about 25k PPS each way  
I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1%  
loss with FreeBSD 5.3.  Similarly the worst case response times for  
ICMP packets is much less in 5.3 than in either version of 6.

I'm using something pretty vanilla in terms of setup. No ALTQ support  
or features, no redirects, just a lot of blocking and allowing. The  
firewalls are using server class 3Com and Intel Gigabit (Fiber)  
cards. The changes were noticed going forward and undone by going  
back to FreeBSD 5.3 so I don't suspect physical problems at the moment.

My pf.conf is essentially a block in all followed by a block in quick  
against a table with 2000 entries, many of the /24 or /16 followed by  
pass rules to the various host:ports we allow.

If I login to the firewalls themselves and run mtr in each direction  
I don't see any traffic loss. It's only when crossing the firewalls.

Usage is about 25k packets per second and 100Mbit/sec 5 minute max  
traffic. The switches are Foundry SI-800g.

Also doing about 25k/sec searches with 400 inserts a second and 270  
removals and 407 matches/sec. The state table seems to run about  
70,000 to 90,000

Are there issues I should be aware of and should pf be able to handle  
this kind of load?

Michael Conlen

