From owner-freebsd-net@FreeBSD.ORG Thu Apr 25 22:21:14 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 89D69A97 for ; Thu, 25 Apr 2013 22:21:14 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-bk0-x234.google.com (mail-bk0-x234.google.com [IPv6:2a00:1450:4008:c01::234]) by mx1.freebsd.org (Postfix) with ESMTP id 1E17B1F6E for ; Thu, 25 Apr 2013 22:21:13 +0000 (UTC) Received: by mail-bk0-f52.google.com with SMTP id je9so566198bkc.11 for ; Thu, 25 Apr 2013 15:21:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id:x-gm-message-state; bh=yfV7qOpEJpUSiqkrguJ+7OH+xAqQh5eA1CFy/G/Zk3E=; b=QxiQFqiVFpoJgcyhk+/9O3A9Xk9YWzMcBdqK8KToEQ/TevSgsHrEpzSQS324rUvQfx 4cAfSNI8GuuEvPpOe/rzYE+YMpU0lMOnmctBNXqJ6WmyZIKYYOmZ2Fq1fyV/g0wn0B2q qLNzD8gG/cdnvmj5tstV5c2yeAJ8ObCieOSJVaU17bWsYX4Upy8atlCMuOI7DdtmvWlY OOhDAjlSp8LA3ySF73H1UGbiWiunOd53OCXeGTq3B4qRw+0AIfoT9C2u2ak1PZjS8W50 vP4YeNDdDOPB81TIAXWlN9HTM/oHDgiHMM4FX0gUOkcr2Q4NvqCQzip0K53Tzq1PV3Mi enDQ== X-Received: by 10.205.45.130 with SMTP id uk2mr10484934bkb.68.1366928472880; Thu, 25 Apr 2013 15:21:12 -0700 (PDT) Received: from zvezda.localnet ([2a02:8108:1440:5b:2677:3ff:fe7b:7648]) by mx.google.com with ESMTPSA id m11sm2308623bkz.0.2013.04.25.15.21.11 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 25 Apr 2013 15:21:12 -0700 (PDT) From: Kajetan Staszkiewicz To: Erich Weiler Subject: Re: pf performance? Date: Fri, 26 Apr 2013 00:21:11 +0200 User-Agent: KMail/1.13.5 (Linux/3.6.6-vegeta.1; KDE/4.4.5; x86_64; ; ) References: <5176E5C1.9090601@soe.ucsc.edu> <201304240134.22740.vegeta@tuxpowered.net> <517974DA.5090809@soe.ucsc.edu> In-Reply-To: <517974DA.5090809@soe.ucsc.edu> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201304260021.11209.vegeta@tuxpowered.net> X-Gm-Message-State: ALoCoQkoWc/Nvz7N2T+/3bES7ir0i78Gv26mjSnqJhLsP9+6b03h6OC3T139w8vp3RAiMS2hinuu Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 22:21:14 -0000 Dnia czwartek, 25 kwietnia 2013 o 20:24:26 Erich Weiler napisa=C5=82(a): > > As far as I understand, processing of packets by pf takes place in > > receiving network card's interrupt handler even up to sending the packet > > via another network card (at least in my case, when using route-to > > targets, which make routing inside pf). >=20 > That's interesting. So even though pf is giant locked, you can still > scale the maximum capacity of your firewall, in this case, simply by > adding more CPU cores? To handle the extra interrupts? So more cores =3D > more packets per second, if you give each extra core an additional > interrupt queue? There is still some code outside pf that packets from the network pass thro= ugh. =20 > > How do you count the 140kpps value? One interface, both, in, out? I'd > > like to relate this somehow to my values. >=20 > Well, generally we see 80kpps rx and 40kpps tx. But I have seen the rx > spike to 150kpps occasionally. Unfortunately at this moment I have no single machine with such traffic,=20 although maybe I can aggregate some traffic later and check the cpu usage t= hen. > This is a pfSense box, which includes > RRD graphs of packet rates, that's how I'm getting the number. I'm not > sure how they are obtaining that metric under the hood. But we have not > disabled HT and some other items, so that number will change is my > guess. We also may add another CPU die to the mix to see if we can add > interrupt queues to more cores to increase performance. How many pf rules do you have?. And, as I asked in my previous post, do you= =20 create states on both sides of the firewall? =2D-=20 | pozdrawiam / greetings | powered by Debian, CentOS and FreeBSD | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'