Date: Tue, 27 Dec 2011 15:00:47 +0100 From: Pawel Tyll <ptyll@nitronet.pl> To: "Alexander V. Chernikov" <melifaro@FreeBSD.org> Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: Firewall Profiling. Message-ID: <623366116.20111227150047@nitronet.pl> In-Reply-To: <4EF9ADBC.8090402@FreeBSD.org> References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> IPFW seems to add more or less constant overhead per rule. In our setup, > ~20 rules increase load by 100% (one core). We are able to reach 10GE > (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. > However, even with ipfw add 1 allow ip from any to any > 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in > rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. Does this include jumbo-frames? 1.1 mpps is far from 10gbit with standard Internet 1500-byte traffic, unless you meant 11.1 mpps :) Are there any plans or hopes for efficiency increase? Something like netmap? (http://info.iet.unipi.it/~luigi/netmap/)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?623366116.20111227150047>