From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 25 16:51:55 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EEA9106566C for ; Tue, 25 Oct 2011 16:51:55 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 491928FC12 for ; Tue, 25 Oct 2011 16:51:54 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 0EDE47300A; Tue, 25 Oct 2011 18:50:39 +0200 (CEST) Date: Tue, 25 Oct 2011 18:50:39 +0200 From: Luigi Rizzo To: Karim Message-ID: <20111025165039.GA8255@onelab2.iet.unipi.it> References: <4EA6D78F.6010607@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EA6D78F.6010607@gmail.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rule processing performances X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2011 16:51:55 -0000 On Tue, Oct 25, 2011 at 11:36:47AM -0400, Karim wrote: > Hi all, > > I am using ipfw with a fairly small amount of rules (~200). Most of > those are skipto rules to different blocking and pass-through blocks. I > use ipfw tags, ALTQ, nat, fwd and several deny and allow rules and I do > not use/need tables. > > What I find is around 400Mbps of traffic (~40kpps) an extremely high > amount of cpu usage related to firewall processing. > > What I would like to know is if there is an ongoing work to optimise > ipfw and/or gather ideas on how to do that. > > I realise my question has a large scope but I am not interested in > optimizing my ruleset I'd like to get a feel for how code wise the > current processing could be optimized (using multiple input TX/RX queues > for example, etc...). we did some performance evaluation a couple of years ago, mostly related to dummynet but there are some ipfw data too. http://info.iet.unipi.it/~luigi/papers/20100304-ccr.pdf in summary, on a modern CPU i would expect to get to 200kpps with moderate cpu usage, unless you have an expensive or poorly designed ruleset. Unfortunately tags are very expensive, but i have no idea of the nat overhead. cheers luigi > Karim. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"