Date: Sun, 12 Jul 2009 17:50:30 -0700 From: Kip Macy <kmacy@freebsd.org> To: Chris Buechler <cmb@pfsense.org> Cc: freebsd-current@freebsd.org Subject: Re: Flowtables -- any tuning hints? Message-ID: <3c1674c90907121750m7e5daad6g1acde39e1f5507c0@mail.gmail.com> In-Reply-To: <4A5A66B7.6060206@pfsense.org> References: <d5992baf0907111024g5e3dddfvdd44a8795543e7a6@mail.gmail.com> <3c1674c90907120009o330da19ds68c45d0dab6ef81f@mail.gmail.com> <4A5A66B7.6060206@pfsense.org>
index | next in thread | previous in thread | raw e-mail
> > This is interesting functionality, but I think we need to look at it a bit > closer for our use case. Is there any benefit in running this in a firewall > scenario? That's primarily what Scott and I (pfsense) are interested in. In > our world, if you're pushing 50Kpps+, you're almost certainly falling into > the "small ISP doing IP forwarding" scenario with hundreds of thousands of > unique destinations. Where we usually see these kinds of loads are small > ISPs, web hosting companies, or universities (which are functionally not > much diff from a small ISP), all of which I'm familiar with falling into the > "better off disabling" category. I also suspect pf's locking negates some or > all of the benefits here. If you lack any locality, i.e. within a 30 second window most of of the recipients are distinct, then it is not likely to be beneficial. I encourage you to test with and without. > I suspect it's not applicable to the specific workload our users normally > have, where you're almost entirely doing IP forwarding, and initiating very > little if any traffic. bz@ said it's not something you want on a router. Is > that a fair assessment? Probably. As I say, please test with vs. without. Odds are you are correct that even with locality the contention in PF will mask any benefit. Thanks, Kiphome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c1674c90907121750m7e5daad6g1acde39e1f5507c0>