From owner-freebsd-net@FreeBSD.ORG  Tue Jan 27 23:03:17 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 87608C8D
 for <freebsd-net@freebsd.org>; Tue, 27 Jan 2015 23:03:17 +0000 (UTC)
Received: from marcos.anarc.at (mail.orangeseeds.org [72.0.72.144])
 by mx1.freebsd.org (Postfix) with ESMTP id 1C9A0A0F
 for <freebsd-net@freebsd.org>; Tue, 27 Jan 2015 23:03:16 +0000 (UTC)
Received: by marcos.anarc.at (Postfix, from userid 1000)
 id 1590D1A006E; Tue, 27 Jan 2015 18:02:46 -0500 (EST)
From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org>
To: Luigi Rizzo <rizzo@iet.unipi.it>
Subject: Re: is polling still a thing?
In-Reply-To: <20150127223917.GA21883@onelab2.iet.unipi.it>
References: <871tmgceup.fsf@marcos.anarc.at>
 <1422384769.867067950.y2iiuu53@frv34.fwdcdn.com>
 <87pp9zc1wk.fsf@marcos.anarc.at>
 <20150127223917.GA21883@onelab2.iet.unipi.it>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1
 (x86_64-pc-linux-gnu)
Date: Tue, 27 Jan 2015 18:02:46 -0500
Message-ID: <87h9vbbze1.fsf@marcos.anarc.at>
MIME-Version: 1.0
Content-Type: text/plain
Cc: freebsd-net@freebsd.org, wishmaster <artemrts@ukr.net>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 23:03:17 -0000

On 2015-01-27 17:39:17, Luigi Rizzo wrote:
> On Tue, Jan 27, 2015 at 05:08:27PM -0500, Antoine Beaupr? wrote:
>> On 2015-01-27 13:57:20, wishmaster wrote:
>> > Have you consider to use netmap-based ipfw instead pf in DDoS mitigation? I think you should. And without any network ''haks'' like polling.
>> 
>> My understanding of netmap was that it wasn't useful for packet
>> forwarding, because its design is for transmitting packets directly to
>> userland faster, whereas routers dataflow stay mostly in the router...
>
> i think the suggestion was to have let netmap-ipfw
> drop the traffic you don't want to deal with, and then
> inject the remaining ones into the kernel where
> the processing occurs -- possibly even using pf or
> a different firewall
>
> There are people using netmap-ipfw on external physical
> boxes exactly in this way -- as a "bump in the wire",
> but it is trivial to run it on the same machine.

hmmm... i *was* using pf to drop a significant amount of the traffic, I
am not sure I understand how using netmap/ipfw would help here.

my understanding of the problem, at this stage, is not so much pf
processing the packets as the kernel having trouble extracting the
packets from the NIC fast enough.

but my analysis may be incorrect.

A.

-- 
Travail, du latin Tri Palium trois pieux, instrument de torture.