Date: Tue, 23 Oct 2012 09:13:07 +0200 From: n j <nino80@gmail.com> To: ipfw@freebsd.org Cc: net@freebsd.org Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time Message-ID: <CALf6cgYokOZhgXGPk2J=BcabFkbnNRegNxVTvoz%2BkTYLhkrDEg@mail.gmail.com> In-Reply-To: <50848E16.6060008@freebsd.org> References: <508138A4.5030901@FreeBSD.org> <50848E16.6060008@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 10/19/12 4:25 AM, Andrey V. Elsukov wrote: >> >> Hi All, >> >> Many years ago i have already proposed this feature, but at that time >> several people were against, because as they said, it could affect >> performance. Now, when we have high speed network adapters, SMP kernel >> and network stack, several locks acquired in the path of each packet, >> and i have an ability to test this in the lab. >> >> So, i prepared the patch, that removes IPFIREWALL_FORWARD option from >> the kernel and makes this functionality always build-in, but it is >> turned off by default and can be enabled via the sysctl(8) variable >> net.pfil.forward=1. >> >> http://people.freebsd.org/~ae/pfil_forward.diff >> >> Also we have done some tests with the ixia traffic generator connected >> via 10G network adapter. Tests have show that there is no visible >> difference, and there is no visible performance degradation. >> >> Any objections? Just another me-too mail - this is great news! I can't really comment on the quality of the patch or the performance results as I'm neither an expert in low-level coding nor do I have a test lab to give this patch a go, but if there are no concrete objections, I really hope this goes forward. Thanks for the good work. Regards, -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALf6cgYokOZhgXGPk2J=BcabFkbnNRegNxVTvoz%2BkTYLhkrDEg>