From owner-freebsd-net Tue Oct 8 22:23:29 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0A7837B401; Tue, 8 Oct 2002 22:23:27 -0700 (PDT) Received: from bunyip.cc.uq.edu.au (bunyip.cc.uq.edu.au [130.102.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3E6143E65; Tue, 8 Oct 2002 22:23:26 -0700 (PDT) (envelope-from csmith@its.uq.edu.au) Received: from [130.102.152.68] (tobermory.its.uq.edu.au [130.102.152.68]) by bunyip.cc.uq.edu.au (8.9.3/8.9.3) with ESMTP id PAA03221; Wed, 9 Oct 2002 15:23:14 +1000 (GMT+1000) User-Agent: Microsoft-Entourage/10.0.0.1309 Date: Wed, 09 Oct 2002 15:23:02 +1000 Subject: Re: High interrupt load on firewalls From: Christopher Smith To: Mike Silbersack Cc: , Message-ID: In-Reply-To: <20021009000519.J2019-100000@patrocles.silby.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 9/10/02 3:07 PM, "Mike Silbersack" wrote: > > > On Wed, 9 Oct 2002, Christopher Smith wrote: > >> We have two firewalls sitting on gigabit links. Each has 2 Netgear GA620 >> (ti driver) fibre cards with about 7 vlans spread across them. Both these >> machines run at *very* high interrupt loads (95 - 100% during business hours >> (mostly 100%), 80 - 90 % during off hours). They are 1GHz P3 machines (Dell >> 1550s) with 256MB of RAM. They're actually dual machines, but enabling the >> second CPU doesn't help in terms of load, it just halves the numbers top >> reports. > > I'm not sure if system vs interrupt accounting is entirely accurate, so > I'm going to postulate that the firewall itself could actually be the > dominant consumer of CPU time. Are you using ipfw? If so, have you tried > out Luigi's new IPFW2? It was MFC'd to 4.6-stable, and is supposed to be > more efficient. No, we use IPFilter (and that definitely isn't going to change any time soon). The ruleset has about 1600 rules and does employ groups. I am (slowly) in the process of trimming some of the fat (though not primarily for performance reasons, there's just crap in there that needs to be removed). The rule processing can't be done on the other CPU, can it ? Am I right in saying that at this point in time, buying a dual CPU (vs single CPU) machine for firewalling with FreeBSD is just a waste of money ? -- +- Christopher Smith, Systems Administrator ------------------------------+ | Server & Security Group, Information Technology Services | | The University of Queensland, Brisbane, Australia, 4072 | +- Ph +61 7 3365 4046 | email csmith@its.uq.edu.au | Fax +61 7 3365 4065 -+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message