From owner-freebsd-pf@FreeBSD.ORG Sun Oct 14 23:51:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A44A16A41B for ; Sun, 14 Oct 2007 23:51:02 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id 56CC113C468 for ; Sun, 14 Oct 2007 23:51:02 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1151217rvb for ; Sun, 14 Oct 2007 16:51:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=33qsjABMGBPzafqGptNtWk+XaB1bsmhrKGaNvkuNHBE=; b=D0hmg36bB0MQFo2VG7RgKi4I+WTi9L14fSjQ9NAFOJhIVd38TQPOoB595WdAQU9or6Oa40J27U0CZry8Ze2yDbbqn2w7dMmFVDlViJcj1ebOTMyeYLljaXUbItgk9hPSLHiJw5FWKZGI2ElppJP3Lz6/knjwoAywSlgeHY7bKZ4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kfm4VrMwpU2/b8rU4z4NFlsHbv6exEisL0Zo8rHXN0YMCcoyqIDSJAetXihd3w+QrdCu6OaRaYQXwtc2dhMpYfrj1RajxVinY5uZhxvQxN7NAVWk7lqTQmwaFEwjnaGo/3SV/mUC5jZsH8UtXhMDAgyad7Re9AGKvH3cgG+aRIQ= Received: by 10.141.48.10 with SMTP id a10mr2434645rvk.1192404242625; Sun, 14 Oct 2007 16:24:02 -0700 (PDT) Received: by 10.141.175.4 with HTTP; Sun, 14 Oct 2007 16:24:02 -0700 (PDT) Message-ID: <33acb3db0710141624g3647ddaasf720b78c3df4a208@mail.gmail.com> Date: Sun, 14 Oct 2007 18:24:02 -0500 From: "Matthew Franz" To: "Michael Conlen" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: PF in FreeBSD 5.3 versus 6.x X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Oct 2007 23:51:02 -0000 HI Michael, You don't say whether you are running pfsync because Bill Marquette (who I work with) and Max have been discussing a pretty nasty pfsync bug (on 6.2) on this list under high loads (probably starting where you are at in terms of pps throughput but going up to 70-90kpps) where the backup is unable to clear states and there is eventually a huge discrepancy between the master and the backup. If you are seeing this with a single box. Its on my list to try to reproduce this in the lab (and test some of the patches Max has developed) with smartbits but I still haven't had time. We are definitely seeing some PF losing state entries, but sort of assumed this was a pfsync issue (or an effect thereof) but if you are seeing this without pfsync, that would point to so more fundamental problems with PF under high load. I can also share so more specific stats offline if that would be helpful. - mdf On 10/9/07, Michael Conlen wrote: > I've noticed at some point between 5.3 and 6.0 that PF seems to be > dropping more packets than with 5.3 and there is increased deviation > in latency. Using the same equipment handling about 25k PPS each way > I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1% > loss with FreeBSD 5.3. Similarly the worst case response times for > ICMP packets is much less in 5.3 than in either version of 6. > > I'm using something pretty vanilla in terms of setup. No ALTQ support > or features, no redirects, just a lot of blocking and allowing. The > firewalls are using server class 3Com and Intel Gigabit (Fiber) > cards. The changes were noticed going forward and undone by going > back to FreeBSD 5.3 so I don't suspect physical problems at the moment. > > My pf.conf is essentially a block in all followed by a block in quick > against a table with 2000 entries, many of the /24 or /16 followed by > pass rules to the various host:ports we allow. > > If I login to the firewalls themselves and run mtr in each direction > I don't see any traffic loss. It's only when crossing the firewalls. > > Usage is about 25k packets per second and 100Mbit/sec 5 minute max > traffic. The switches are Foundry SI-800g. > > Also doing about 25k/sec searches with 400 inserts a second and 270 > removals and 407 matches/sec. The state table seems to run about > 70,000 to 90,000 > > Are there issues I should be aware of and should pf be able to handle > this kind of load? > > -- > Michael Conlen > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Matthew Franz http://www.threatmind.net/