From owner-freebsd-net@FreeBSD.ORG Fri Dec 27 06:43:42 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A21E3CE6 for ; Fri, 27 Dec 2013 06:43:42 +0000 (UTC) Received: from mail.tcm.by (mail.tcm.by [84.201.224.251]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1FEEB153A for ; Fri, 27 Dec 2013 06:43:41 +0000 (UTC) Received: from skipped_antispam (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 14629FDE3 for ; Fri, 27 Dec 2013 09:34:15 +0300 (FET) Received: from mailhub (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 891D8FDD8 for ; Fri, 27 Dec 2013 09:34:14 +0300 (FET) Received: from dialup-dynamic-pool1-45.tcm.by (unknown [84.201.225.45]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcm.by (Postfix) with ESMTP id 3A9E9FDD2 for ; Fri, 27 Dec 2013 09:34:13 +0300 (FET) Date: Fri, 27 Dec 2013 09:34:16 +0300 From: "Denis V. Klimkov" Organization: Telecom Media Systems JLLC X-Priority: 3 (Normal) Message-ID: <21356442.20131227093416@tcm.by> To: freebsd-net@freebsd.org Subject: ipfw verrevpath performance broken in 9.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 06:43:42 -0000 Hello Freebsd-net, Recently upgraded router system from 9.0-RELEASE to 9.2-STABLE and got 100% CPU utilisation on all cores with interrupts under the same load that had about 25-30% CPU utilisation before. Of course that lead to high latency (about 400 ms and packet loss). Load reduced immediately after I removed all ipfw antispoofing rules with "verrevpath": 11010 3659429 430047150 deny ip from any to any not verrevpath in via vlan6 11020 719931 58619220 deny ip from any to any not verrevpath in via vlan7 11025 68141 5144481 deny ip from any to any not verrevpath in via vlan8 11030 202144 6785732 deny ip from any to any not verrevpath in via vlan9 11040 171291 56196945 deny ip from any to any not verrevpath in via vlan10 11045 291914032 39427773226 deny ip from any to any not verrevpath in via vlan11 11060 6102962 441745213 deny ip from any to any not verrevpath in via vlan15 11070 4832442 1259880158 deny ip from any to any not verrevpath in via vlan16 11080 814769 95745079 deny ip from any to any not verrevpath in via vlan17 11101 2901098 628552748 deny ip from any to any not verrevpath in via vlan26 11102 1264750 146468688 deny ip from any to any not verrevpath in via vlan27 11110 902441 294155831 deny ip from any to any not verrevpath in via vlan21 11120 628324 31060933 deny ip from any to any not verrevpath in via vlan23 11130 1381 83245 deny ip from any to any not verrevpath in via vlan24 11138 4258607 3389925416 deny ip from any to any not verrevpath in via vlan31 11150 56 2792 deny ip from any to any not verrevpath in via vlan40 Is there a way to fix verrevpath performance issue in 9.2 and futher? There is no problem to remove this rules on this system, but I also have 2 systems running MPD with about 2000 PPPoE ng interfaces with very handy ipfw rule "deny ip from any to any not verrevpath in via ng*". --- Denis V. Klimkov