From owner-freebsd-net@FreeBSD.ORG Thu May 20 04:38:44 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5A301065670 for ; Thu, 20 May 2010 04:38:44 +0000 (UTC) (envelope-from rihad@mail.ru) Received: from mx34.mail.ru (mx34.mail.ru [94.100.176.48]) by mx1.freebsd.org (Postfix) with ESMTP id 70CC68FC18 for ; Thu, 20 May 2010 04:38:44 +0000 (UTC) Received: from [217.25.27.27] (port=50379 helo=[217.25.27.27]) by mx34.mail.ru with asmtp id 1OExWs-0001aq-00; Thu, 20 May 2010 08:38:42 +0400 Message-ID: <4BF4BCD6.4000303@mail.ru> Date: Thu, 20 May 2010 09:38:46 +0500 From: rihad User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4 MIME-Version: 1.0 To: Sriram Gorti References: <4BF4252F.8000208@mail.ru> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam: Not detected X-Mras: Ok Cc: freebsd-net@freebsd.org Subject: Re: increasing em(4) buffer sizes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2010 04:38:44 -0000 On 05/20/2010 08:54 AM, Sriram Gorti wrote: > Hi, > > I'm new to FreeBSD but there is one aspect of your description (thanks > for the detail) on which I had a comment that I thought can be shared. > > > To mitigate the problem I've set up a two-level hash by means of > skipto rules, dropping the number of up to several thousand rules to be > searched for each packet to a mere 85 max, but the rate of Ierrs has > only increased to 40-50K per hour, > > Not exactly sure what kind of rules are in a firewall and what kind of > searcher your have. If you have a software searcher, it is not just the Not really, it's the lookup done by the OS for each outgoing packet (in my case). FreeBSD does so by walking the ruleset one by one, starting from the first rule. It does take some time if the number of rules to be walked is high. How do I know it's the firewall causing the drops: if I short circuit this process by adding "allow ip from any to any" as the first rule, all Ierrs disappear. > number of rules but the "kind" of rules can also make a big difference. > For example, most searchers become slower with regex intensive rules and > if some such rules in your original set were retained in the reduced set > of 85, then the drop will continue. However, why have the drops > increased - good question. One remote guess is that it can depend on the > behavior of the searcher - does it stop searching on the rest of the > rules if a rule is found. If this is the case, then it is again possible > that the set of 85 does not match most of the time causing more work for > the searcher. > > All the best for your investigations, > Thank you! > regards, > Sriram >