Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP)
Olivier Cochard-Labbé
olivier at cochard.me
Tue Dec 9 00:31:58 UTC 2014
On Mon, Dec 8, 2014 at 4:27 PM, Maxim Khitrov <max at mxcrypt.com> wrote:
> On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson <jim at netgate.com> wrote:
> > OpenBSD may eventually grow proper multicore support, but that is of
> little concern to the FreeBSD project. It took FreeBSD years to get
> proper multicore support, and I doubt
> > OpenBSD gets there any faster. Nor have they started. This is bad news
> for OpenBSD, because the world is now multicore, 1Gbps are common (I have
> one to my house) and 10Gbps connections are increasingly common.
> OpenBSD's "pf" doesn't even handle 1Gbps unless
>
> How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very
> interested in that use case when I did my testing, so for me, OpenBSD
> 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon
> E3-1275v2. If I did the math right, that's ~0.35 Mpps:
>
> http://marc.info/?l=openbsd-misc&m=137600809910496&w=2
>
>
If your firewall's using Gbps link you should take care of supporting the
maximum Gigabit Ethernet throughput of 1.488Mpps: It's too easy to DOS any
kind of OpenBSD firewall with a simple user-land tool like
src/tools/tools/netrate/netblast. You only need to generate about 700Kpps
for an OpenBSD 5.4 (I didn't test more recent release).
But the performance of a firewall isn't limited to the "forwarding
performance" (and the unit is a throughput in Packet-per-second, not a
bandwidth): There are lot's more parameters to take care of (cf RFC 3511 "
Benchmarking Methodology for Firewall Performance").
Regards,
Olivier
More information about the freebsd-pf
mailing list