From owner-freebsd-current@FreeBSD.ORG Mon Jul 13 00:50:31 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6102106566B for ; Mon, 13 Jul 2009 00:50:31 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 7C7C08FC0A for ; Mon, 13 Jul 2009 00:50:31 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: by an-out-0708.google.com with SMTP id d14so1034967and.13 for ; Sun, 12 Jul 2009 17:50:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=XVPHjJPnqzUgBFpyy61UmKMNh+8F2bwjhPtgmhv0tSU=; b=ECOBul1GpWIXqxAdvABemX4t67y8n+kAijwp/yE9+iDzhEu1hi1DDt6KYwtwsjGAHT 36J7cGFQDtwRDc+s5ioc+MZBeCfKd2uj0B48wMZcXEwa8Xa76jUzMDX6Owj7bZ3bxTgS fk0tFbeIyOMPndrwgkx+hVUb1RTxta75tbCV0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=gdl2LI7BJbW61wNJDHdGpJUerCYYMKDalji69v5sVdktl8egWLvE9T68h4B7/3zrer 6eoSYYJ6pRojuF1N4g28Exa+6ArBcyi0xAJhFMVDGJWUSbYgN98MJ37oYeQWyyRvCWKJ 0fy33khUBGHQ2QCXO/MzZNgMm4hQo5Vk/oTLQ= MIME-Version: 1.0 Sender: mat.macy@gmail.com Received: by 10.100.107.17 with SMTP id f17mr6349933anc.82.1247446230965; Sun, 12 Jul 2009 17:50:30 -0700 (PDT) In-Reply-To: <4A5A66B7.6060206@pfsense.org> References: <3c1674c90907120009o330da19ds68c45d0dab6ef81f@mail.gmail.com> <4A5A66B7.6060206@pfsense.org> Date: Sun, 12 Jul 2009 17:50:30 -0700 X-Google-Sender-Auth: 24daf5f8506f9102 Message-ID: <3c1674c90907121750m7e5daad6g1acde39e1f5507c0@mail.gmail.com> From: Kip Macy To: Chris Buechler Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org Subject: Re: Flowtables -- any tuning hints? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 00:50:32 -0000 > > This is interesting functionality, but I think we need to look at it a bit > closer for our use case. Is there any benefit in running this in a firewall > scenario? That's primarily what Scott and I (pfsense) are interested in. In > our world, if you're pushing 50Kpps+, you're almost certainly falling into > the "small ISP doing IP forwarding" scenario with hundreds of thousands of > unique destinations. Where we usually see these kinds of loads are small > ISPs, web hosting companies, or universities (which are functionally not > much diff from a small ISP), all of which I'm familiar with falling into the > "better off disabling" category. I also suspect pf's locking negates some or > all of the benefits here. If you lack any locality, i.e. within a 30 second window most of of the recipients are distinct, then it is not likely to be beneficial. I encourage you to test with and without. > I suspect it's not applicable to the specific workload our users normally > have, where you're almost entirely doing IP forwarding, and initiating very > little if any traffic. bz@ said it's not something you want on a router. Is > that a fair assessment? Probably. As I say, please test with vs. without. Odds are you are correct that even with locality the contention in PF will mask any benefit. Thanks, Kip