8.0-CURRENT: having pf enabled without any rules impacts
forwarding performance
Max Laier
max at love2party.net
Tue Mar 24 17:07:42 PDT 2009
On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote:
> i have a machine with nc running through it.
> with pf disabled, i see 960-970 mbit/s through it (as reported by systat
> -ifstat).
> just having pf enabled, with empty ruleset:
>
> # pfctl -vs nat
> # pfctl -vs rules
> #
>
> reduces throughput to about 700 mbit.
> this seems wrong. any ideas why this might be happening?
You have to search the (empty) ruleset for the (implicit) default "pass all"
rule. This is somewhat expensive. Then there is the pf mutex (quite
expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a
single, global lock and thus reduces the opportunity for parallelism.
> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009
>
> thanks.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list