Date: Tue, 27 Dec 2011 15:26:00 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Pawel Tyll <ptyll@nitronet.pl> Cc: freebsd-ipfw@freebsd.org, "Alexander V. Chernikov" <melifaro@freebsd.org>, freebsd-net@freebsd.org Subject: Re: Firewall Profiling. Message-ID: <20111227142600.GA65456@onelab2.iet.unipi.it> In-Reply-To: <623366116.20111227150047@nitronet.pl> References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <623366116.20111227150047@nitronet.pl>
index | next in thread | previous in thread | raw e-mail
On Tue, Dec 27, 2011 at 03:00:47PM +0100, Pawel Tyll wrote: > > IPFW seems to add more or less constant overhead per rule. In our setup, > > ~20 rules increase load by 100% (one core). We are able to reach 10GE > > (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. > > However, even with ipfw add 1 allow ip from any to any > > 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in > > rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. > Does this include jumbo-frames? 1.1 mpps is far from 10gbit with > standard Internet 1500-byte traffic, unless you meant 11.1 mpps :) a 1500-byte frame is 12k bits so you need 830 Kpps to saturate the 10G link in one direction (and say another 450 Kpps as acks in the other direction). I reported the performance of ipfw+dummynet http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf on a 2.3GHz box and 800MHz RAM. The E5645 mentioned in the original msg is probably 2x faster than my test machine. > Are there any plans or hopes for efficiency increase? Something like > netmap? (http://info.iet.unipi.it/~luigi/netmap/) plans, yes - not sure how long it will take. I have compiled ipfw+dummynet as a standalone module (outside the kernel) but have not yet hooked the code to netmap to figure out how fast it can run. cheers luigihome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111227142600.GA65456>