Date: Sun, 12 Jul 2009 17:50:30 -0700 From: Kip Macy <kmacy@freebsd.org> To: Chris Buechler <cmb@pfsense.org> Cc: freebsd-current@freebsd.org Subject: Re: Flowtables -- any tuning hints? Message-ID: <3c1674c90907121750m7e5daad6g1acde39e1f5507c0@mail.gmail.com> In-Reply-To: <4A5A66B7.6060206@pfsense.org> References: <d5992baf0907111024g5e3dddfvdd44a8795543e7a6@mail.gmail.com> <3c1674c90907120009o330da19ds68c45d0dab6ef81f@mail.gmail.com> <4A5A66B7.6060206@pfsense.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > This is interesting functionality, but I think we need to look at it a bit > closer for our use case. Is there any benefit in running this in a firewall > scenario? That's primarily what Scott and I (pfsense) are interested in. In > our world, if you're pushing 50Kpps+, you're almost certainly falling into > the "small ISP doing IP forwarding" scenario with hundreds of thousands of > unique destinations. Where we usually see these kinds of loads are small > ISPs, web hosting companies, or universities (which are functionally not > much diff from a small ISP), all of which I'm familiar with falling into the > "better off disabling" category. I also suspect pf's locking negates some or > all of the benefits here. If you lack any locality, i.e. within a 30 second window most of of the recipients are distinct, then it is not likely to be beneficial. I encourage you to test with and without. > I suspect it's not applicable to the specific workload our users normally > have, where you're almost entirely doing IP forwarding, and initiating very > little if any traffic. bz@ said it's not something you want on a router. Is > that a fair assessment? Probably. As I say, please test with vs. without. Odds are you are correct that even with locality the contention in PF will mask any benefit. Thanks, Kip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c1674c90907121750m7e5daad6g1acde39e1f5507c0>