From owner-freebsd-net Tue Oct 8 22:40:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A0DE37B401; Tue, 8 Oct 2002 22:40:13 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id B869243E4A; Tue, 8 Oct 2002 22:40:12 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021009054012.RAGB6765.sccrmhc02.attbi.com@InterJet.elischer.org>; Wed, 9 Oct 2002 05:40:12 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id WAA43724; Tue, 8 Oct 2002 22:30:18 -0700 (PDT) Date: Tue, 8 Oct 2002 22:30:16 -0700 (PDT) From: Julian Elischer To: Christopher Smith Cc: Mike Silbersack , hardware@freebsd.org, net@freebsd.org Subject: Re: High interrupt load on firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Christopher Smith wrote: > On 9/10/02 3:07 PM, "Mike Silbersack" wrote: > > > > > > > On Wed, 9 Oct 2002, Christopher Smith wrote: > > > >> We have two firewalls sitting on gigabit links. Each has 2 Netgear GA620 > >> (ti driver) fibre cards with about 7 vlans spread across them. Both these > >> machines run at *very* high interrupt loads (95 - 100% during business hours > >> (mostly 100%), 80 - 90 % during off hours). They are 1GHz P3 machines (Dell > >> 1550s) with 256MB of RAM. They're actually dual machines, but enabling the > >> second CPU doesn't help in terms of load, it just halves the numbers top > >> reports. > > > > I'm not sure if system vs interrupt accounting is entirely accurate, so > > I'm going to postulate that the firewall itself could actually be the > > dominant consumer of CPU time. Are you using ipfw? If so, have you tried > > out Luigi's new IPFW2? It was MFC'd to 4.6-stable, and is supposed to be > > more efficient. > > No, we use IPFilter (and that definitely isn't going to change any time > soon). > > The ruleset has about 1600 rules and does employ groups. I am (slowly) in > the process of trimming some of the fat (though not primarily for > performance reasons, there's just crap in there that needs to be removed). > > The rule processing can't be done on the other CPU, can it ? Am I right in > saying that at this point in time, buying a dual CPU (vs single CPU) machine > for firewalling with FreeBSD is just a waste of money ? not necessarily.. ip firewalling is done by the netisr processing which COULD be done sometimes on the other processor from the hardware interrupt it may not happen at teh moment but it is theoretically possible to make it happen. > > -- > +- Christopher Smith, Systems Administrator ------------------------------+ > | Server & Security Group, Information Technology Services | > | The University of Queensland, Brisbane, Australia, 4072 | > +- Ph +61 7 3365 4046 | email csmith@its.uq.edu.au | Fax +61 7 3365 4065 -+ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message