From owner-freebsd-net@FreeBSD.ORG Thu Apr 25 18:24:30 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2CE8C1DB for ; Thu, 25 Apr 2013 18:24:30 +0000 (UTC) (envelope-from weiler@soe.ucsc.edu) Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) by mx1.freebsd.org (Postfix) with ESMTP id 04BBB12A5 for ; Thu, 25 Apr 2013 18:24:29 +0000 (UTC) Received: by mail-pd0-f172.google.com with SMTP id 4so1972405pdd.31 for ; Thu, 25 Apr 2013 11:24:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucsc.edu; s=ucsc-google; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=PqZU9zr7hiW0RQv3EFtSghG0FY386vzs5l5oEnV/A8s=; b=CM2mgc7MP3qYxPD2aKZZGbebKhnW7V8m6no8t5oneO9pEki3ZmVrtIOyhT3F/QsbiC dg742FzYX4dojqEmmB2uLxHCH70FjIm0nJGYFXItXJ7uo+4YPO2kgeIEheQEdZFlZf3b Jd3+07FCkwTDha/7vHpc8bkQAeC/3WiYQ0QYY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding:x-gm-message-state; bh=PqZU9zr7hiW0RQv3EFtSghG0FY386vzs5l5oEnV/A8s=; b=MEm0XJoBLJ4wseEGG/l7/xHXsBW2XArJx4sqAaLZwiwvYlE+HTXCuYBaQUBHnAgGff lVgBctfVHL0Qj0EE96qmSOlLUHvuLjAZWT/yC+GV/rVBPL6HA8GdQQwDccZQEcYnprlC iZ2cRJzHYWCYds+2hsnVWkgXH88qrj7DiIex4tXBLKxAUNcnxELL1D3Ar0X/pDsWuxxj tmG+bXcv9KpI+5XNHTICx1QVTsI9QusDK5XJSuOGvxUccXTbP3MgpIVyqzbbswiM8NGD kxkcx41dg5Ck1+VUm67//Gt8XsrA21gRv0uYupRVtIYthYA9sNufAZbHiEbw6hBQcbmZ vS3g== X-Received: by 10.66.120.173 with SMTP id ld13mr26821105pab.187.1366914269384; Thu, 25 Apr 2013 11:24:29 -0700 (PDT) Received: from [172.30.0.50] (hgfw-01.soe.ucsc.edu. [128.114.61.130]) by mx.google.com with ESMTPSA id l4sm8294462pbo.6.2013.04.25.11.24.27 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 25 Apr 2013 11:24:28 -0700 (PDT) Message-ID: <517974DA.5090809@soe.ucsc.edu> Date: Thu, 25 Apr 2013 11:24:26 -0700 From: Erich Weiler User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.6esrpre) Gecko/20120717 Thunderbird/10.0.6 MIME-Version: 1.0 To: Kajetan Staszkiewicz Subject: Re: pf performance? References: <5176E5C1.9090601@soe.ucsc.edu> <201304240134.22740.vegeta@tuxpowered.net> In-Reply-To: <201304240134.22740.vegeta@tuxpowered.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQnnGdeqRrH5FOpi9OxzCzgPOzEj0n2NLaC3XSThhd9dAWVqaE04mchInXRk2JzdPJi7I2VY Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 18:24:30 -0000 > As far as I understand, processing of packets by pf takes place in receiving > network card's interrupt handler even up to sending the packet via another > network card (at least in my case, when using route-to targets, which make > routing inside pf). That's interesting. So even though pf is giant locked, you can still scale the maximum capacity of your firewall, in this case, simply by adding more CPU cores? To handle the extra interrupts? So more cores = more packets per second, if you give each extra core an additional interrupt queue? > How do you count the 140kpps value? One interface, both, in, out? I'd like to > relate this somehow to my values. Well, generally we see 80kpps rx and 40kpps tx. But I have seen the rx spike to 150kpps occasionally. This is a pfSense box, which includes RRD graphs of packet rates, that's how I'm getting the number. I'm not sure how they are obtaining that metric under the hood. But we have not disabled HT and some other items, so that number will change is my guess. We also may add another CPU die to the mix to see if we can add interrupt queues to more cores to increase performance.