From owner-freebsd-pf@FreeBSD.ORG Sun Mar 9 15:17:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F5F8106566B for ; Sun, 9 Mar 2008 15:17:38 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.246]) by mx1.freebsd.org (Postfix) with ESMTP id 319C58FC18 for ; Sun, 9 Mar 2008 15:17:38 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so447347anc.13 for ; Sun, 09 Mar 2008 08:17:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=pxhSTQhsXQDnkadqjCAp4efNE9cKoO8ygYFs4rEmc3Q=; b=oYD4SUTf3YzZLYiCjXeWGREeimSyVMH61s9alfv/+lAmyeHMwNjTiKLM2kUDV5NRGq85E1Txug3bbdjEzLAJOkAh0EUmA7hUZLVmfGWNe/BjVyNSLqGqppAPEg3HNwxT3BRD705rLX2KXMsaqcEV5kxu2wWZH/tQ64WCBmt3Qbw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tSrn8zuy/3YR/r0V6a8g8v3RqJcXFjT3nKXT6vazI90Bm+xfnzVGLl35HWpalKeHBOG1Nk+qS422BEaovoxZT34sGKrulUOWQ4oIuwtauGMeF6VToVdrcI3zjeHHi6+ZeIhBzw73xOrEWKzDtEB4W8e8bwIS9lqd+xW7Z78DWKA= Received: by 10.100.202.9 with SMTP id z9mr6067902anf.93.1205074206222; Sun, 09 Mar 2008 07:50:06 -0700 (PDT) Received: by 10.100.8.3 with HTTP; Sun, 9 Mar 2008 07:50:06 -0700 (PDT) Message-ID: <55e8a96c0803090750g225704f4k6298770ee9fa9009@mail.gmail.com> Date: Sun, 9 Mar 2008 09:50:06 -0500 From: "Bill Marquette" To: "Lorenz Helleis" In-Reply-To: <312816.32112.qm@web53707.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <312816.32112.qm@web53707.mail.re2.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2008 15:17:38 -0000 On Fri, Mar 7, 2008 at 4:40 PM, Lorenz Helleis wrote: > This is an internal firewall... I think the entry in the table session = is desapearing, so the client needs to make > another conection. I=B4m thi= nking about create a stateless rule. I suspect this will only decrease your packet rates. From what I understand, state table lookups are MUCH cheaper than rule table lookups. Also, the congestion count increases (from memory) when the nic can't send packets, you might look at increasing then net.inet.ip.intr_queue_maxlen sysctl if net.inet.ip.intr_queue_drops is showing a non-zero value (which it likely is if you are pushing 400kpps w/out increasing the queue). BTW, what version of FreeBSD, I didn't see it already mentioned in the thre= ad. --Bill