From owner-freebsd-net@freebsd.org  Tue Aug 27 17:17:03 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C665BDAAC7
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Tue, 27 Aug 2019 17:17:03 +0000 (UTC) (envelope-from vit@otcnet.ru)
Received: from mail.otcnet.ru (mail.otcnet.ru [194.190.78.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 46HwXZ5RB5z46Xn
 for <freebsd-net@freebsd.org>; Tue, 27 Aug 2019 17:17:02 +0000 (UTC)
 (envelope-from vit@otcnet.ru)
Received: from Victors-MacBook-Air-2.local (unknown [195.91.148.145])
 by mail.otcnet.ru (Postfix) with ESMTPSA id E5CF789D90;
 Tue, 27 Aug 2019 20:16:54 +0300 (MSK)
Subject: Re: finding optimal ipfw strategy
To: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
References: <f38b21a5-8f9f-4f60-4b27-c810f78cdc88@otcnet.ru>
 <4ff39c8f-341c-5d72-1b26-6558c57bff8d@grosbein.net>
 <a559d2bd-5218-f344-2e88-c00893272222@otcnet.ru>
 <cd72f9bf-a253-6a29-1405-1d31c9170836@grosbein.net>
From: Victor Gamov <vit@otcnet.ru>
Organization: OTCnet
Message-ID: <7f1d41d7-3d6c-a918-ea1a-6336caaae151@otcnet.ru>
Date: Tue, 27 Aug 2019 20:16:54 +0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:60.0)
 Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <cd72f9bf-a253-6a29-1405-1d31c9170836@grosbein.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 46HwXZ5RB5z46Xn
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of vit@otcnet.ru designates 194.190.78.3 as
 permitted sender) smtp.mailfrom=vit@otcnet.ru
X-Spamd-Result: default: False [-2.57 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+a:mail.otcnet.ru];
 NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[otcnet.ru]; HAS_ORG_HEADER(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_HAM_SHORT(-0.38)[-0.384,0]; RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(0.00)[country: RU(0.01)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:50822, ipnet:194.190.78.0/24, country:RU];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 17:17:03 -0000

On 26/08/2019 20:15, Eugene Grosbein wrote:
> 26.08.2019 23:25, Victor Gamov wrote:
> 
>> More general question about my current config.  I have about
>> 200Mbit input multicasts which bridged and filtered later (about
>> 380 Mbit bridged if trafshow does not lie me :-) )
> 
> Don't trust trafshow. Use: systat -ifstat 1

This!

systat show me more real picture: 750Mbit in, 650 Mbit out via bridge


>> Is it possible to get CPU load about 30% at this config after ipfw
>> optimization?  Or may be main bottleneck is not ipfw-specific?
> 
> You won't know until you try and nobody can tell. Too many
> variables. And you better compare it with 11.3 because 12.0 may have
> some unsolved preformance regressions.

I see.  I will try 11.3 later.

Now after output optimization as Eugene recommended one core load 
decreased from 88 to 77 percents.  But many loads decreased when unused 
rules removed.

Now I'll try to optimize input rules too like
=====
table All_Ifaces create type iface
table All_Ifaces add vlan10 20010
table All_Ifaces add vlan20 20020
table All_Ifaces add vlan30 20030

12000 skipto tablearg ip from any to any in recv table(All_Ifaces)

20010 allow udp from src1 to mcast1 in recv via vlan10
20011 deny ip from any to any

20020 allow udp from src2 to mcast2 in recv via vlan20
20021 deny ip from any to any
=====


-- 
CU,
Victor Gamov