From owner-freebsd-net Wed Oct 9 1:30:49 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82EAD37B401; Wed, 9 Oct 2002 01:30:48 -0700 (PDT) Received: from out7.mx.nwbl.wi.voyager.net (out7.mx.nwbl.wi.voyager.net [169.207.3.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069EF43E42; Wed, 9 Oct 2002 01:30:48 -0700 (PDT) (envelope-from silby@silby.com) Received: from pop0.nwbl.wi.voyager.net (pop0.nwbl.wi.voyager.net [169.207.1.115]) by out7.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 3D1DC936C3; Wed, 9 Oct 2002 02:49:25 -0500 (CDT) Received: from [10.1.1.6] (d104.as12.nwbl0.wi.voyager.net [169.207.135.104]) by pop0.nwbl.wi.voyager.net (8.10.2/8.10.2) with ESMTP id g997nOj21464; Wed, 9 Oct 2002 02:49:24 -0500 (CDT) Date: Wed, 9 Oct 2002 02:53:43 -0500 (CDT) From: Mike Silbersack To: Christopher Smith Cc: hardware@freebsd.org, Subject: Re: High interrupt load on firewalls In-Reply-To: Message-ID: <20021009024946.D2682-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Christopher Smith wrote: > No, we use IPFilter (and that definitely isn't going to change any time > soon). Oh. Hm, maybe IPFilter 4.0 will be faster. What you might consider doing is profiling the kernel on your test system to see where the majority of the cpu time is going. > The rule processing can't be done on the other CPU, can it ? Am I right in > saying that at this point in time, buying a dual CPU (vs single CPU) machine > for firewalling with FreeBSD is just a waste of money ? Even if it could be done, I doubt that would be the most cost effectively solution to the problem. Try out different NICs, then move on to kernel profiling if it's still a problem. Luigi can probably comment more on this, but one thing which comes to mind is that the if_ti driver might not be updated to use the new m_getcl function Luigi added. Luigi claimed a 10% increase in forwarding speed for drivers using it, I believe. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message