8.0-CURRENT: having pf enabled without any rules impacts
forwarding performance
Deomid Ryabkov
myself at rojer.pp.ru
Tue Mar 24 17:22:23 PDT 2009
Max Laier wrote:
> On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote:
>
>> i have a machine with nc running through it.
>> with pf disabled, i see 960-970 mbit/s through it (as reported by systat
>> -ifstat).
>> just having pf enabled, with empty ruleset:
>>
>> # pfctl -vs nat
>> # pfctl -vs rules
>> #
>>
>> reduces throughput to about 700 mbit.
>> this seems wrong. any ideas why this might be happening?
>>
>
> You have to search the (empty) ruleset for the (implicit) default "pass all"
> rule. This is somewhat expensive. Then there is the pf mutex (quite
> expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a
> single, global lock and thus reduces the opportunity for parallelism.
>
>
thanks for explanation, Max.
further data point: ruleset with 8 nat rules that never match (but have
to be checked)
chops off further ~50 mbit. that i'm less worried about, but the initial
hit for just enabling filtering does worry me quite a bit.
is there anything to be done about that? is anything being done? or planned?
[hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel
PRO/1000 PT]
>> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009
>>
>> thanks.
>>
>
>
--
Deomid Ryabkov aka Rojer
myself at rojer.pp.ru
rojer at sysadmins.ru
ICQ: 8025844
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3308 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090325/5918c74c/smime.bin
More information about the freebsd-pf
mailing list