PF makes em0 taskq to eat 100% CPU

Tommy Pham tommyhp2 at yahoo.com
Thu Jan 24 10:43:57 PST 2008 

Hi Stefan,

I suggest you cvs the source to branch RELENG_7 and rebuild world
kernel.  (Rebuilding kernel helps a little but still have performance
hits.)  I had major performance issues with RC1 on my P3 box (128 RAM)
with load hitting 6+ in top.  Now the load averages at 0.15.

Regards,
Tommy

--- Stefan Lambrev <stefan.lambrev at moneybookers.com> wrote:

> 
> 
> Abdullah Ibn Hamad Al-Marri wrote:
> > ----- Original Message ----
> >   
> >> From: Stefan Lambrev <stefan.lambrev at moneybookers.com>
> >> To: freebsd-pf at freebsd.org
> >> Sent: Thursday, January 24, 2008 6:39:41 PM
> >> Subject: PF makes em0 taskq to eat 100% CPU
> >>
> >> Hello,
> >>
> >> I'm doing some tests and benchmarks and I'm testing pf on
> >> bridge
> >>
> >>     
> >  firewall.
> >   
> >> One of the specific tests is how PF will handle SYN flood from
> random 
> >> source addresses.
> >> While the bridge is w/o activated PF, I see 12-14MB/s traffic.
> >> When I enable the PF the traffic drops to 2-5MB/s and I'm starting
> to 
> >> see lost packets.
> >>
> >> Here is what top -S shows when PF is not active:
> >>    25 root        1 -68    -     0K    16K -      1  34:45 26.37%
> em0 
> >> taskq - only 26% CPU used
> >>
> >> but when I enable PF it (em0 taskq) goes up to 100% and packets
> >> are
> >>
> >>     
> >  lost.
> >   
> >> Here is the pf.conf used for tests:
> >>
> >> #macros
> >> ext_if="em0"
> >> int_if="em1"
> >> br_if="bridge0"
> >>
> >> www="10.3.3.1"
> >>
> >> #sets
> >> set skip on lo0
> >> set skip on $int_if
> >> set skip on $br_if
> >> set limit states 20000000
> >> set limit src-nodes 15000
> >> set optimization aggressive
> >>
> >> table  persist file "/etc/abusive_hosts"
> >>
> >> block log quick from  to any
> >> block log quick from any to 
> >>
> >> pass in quick on $ext_if proto tcp from any to $www port { 80, 443
> } 
> >> flags S/SA keep state \
> >> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, 
> >> overload  flush global)
> >>
> >> The number of states that I reach is little more then 2,000,000. 
> >> (20,000,000 is the limit that I enforce)
> >> FreeBSD 7.0-RC1-  Thu Jan 24 - amd64 - sched_ule
> >>
> >> Please advise.
> >>
> >> -- 
> >>
> >> Best Wishes,
> >> Stefan Lambrev
> >> ICQ# 24134177
> >>
> >>     
> >
> > Hello Stefan,
> >
> > What version of FreeBSD do you use and what arch? what is your CPU
> spec and what ram?
> >   
> 
> FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) 
> X3220 2.4 GHz - quad core, 2GB RAM
> I increased kern.ipc.nmbclusters=262144
> I find device polling quite helpful here - at least the CPUs are
> idle.
> >
> >  
> > Regards, 
> > -Abdullah Ibn Hamad Al-Marri
> > Arab Portal
> > http://www.WeArab.Net/
> >
> >
> >
> >
> >
> >
> >      
>
____________________________________________________________________________________
> > Never miss a thing.  Make Yahoo your home page. 
> > http://www.yahoo.com/r/hs
> >   
> 
> -- 
> 
> Best Wishes,
> Stefan Lambrev
> ICQ# 24134177
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list