svn commit: r191259 - head/sys/netinet
Robert Watson
rwatson at FreeBSD.org
Mon Apr 20 10:33:06 UTC 2009
On Mon, 20 Apr 2009, Kip Macy wrote:
>> ... which means you fall back to the ordinary routing lookups, but only
>> after you have wasted cycles to compute a hash and found out that it
>> doesn't match anything in your cache -> in this case I would expect only a
>> degradation in performance, not an improvement.
>
> If your normal operating conditions are DDOS then you have more serious
> problems. I said that the system would not collapse as you were in fact
> claiming, not that it would perform optimally.
I think a useful test case to exercise this would be to look at the
performance of a real-world benchmark during a simulated synflood from spoofed
source IPs in which you gradually scale up the size of the source IP pool for
the synflood, as compared to running without the flowcache. The overhead of
all the flowcache misses should, presumably, be quite noticeable once it
overflows, as it adds additional locking and lookups (both of which have
historically been very noticeable) I think the important question is not
whether we can measure the overhead (if we can't then we're not testing
right), but whether it leads to a performance collapse that didn't previously
exist.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the svn-src-all
mailing list