From owner-freebsd-net@FreeBSD.ORG Fri Apr 26 13:42:27 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 13689EF4 for ; Fri, 26 Apr 2013 13:42:27 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) by mx1.freebsd.org (Postfix) with ESMTP id 97EE81A85 for ; Fri, 26 Apr 2013 13:42:26 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.6/8.14.6) with ESMTP id r3QDgPFC077401; Fri, 26 Apr 2013 17:42:25 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.6/8.14.6/Submit) id r3QDgOJS077400; Fri, 26 Apr 2013 17:42:24 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 26 Apr 2013 17:42:24 +0400 From: Gleb Smirnoff To: Erich Weiler Subject: Re: pf performance? Message-ID: <20130426134224.GV76816@FreeBSD.org> References: <5176E5C1.9090601@soe.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <5176E5C1.9090601@soe.ucsc.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 13:42:27 -0000 Erich, On Tue, Apr 23, 2013 at 12:49:21PM -0700, Erich Weiler wrote: E> I have a question here about how FreeBSD (8.1-RELEASE-p13 specifically) E> behaves when acting as a firewall. I understand the pf process is E> "giant locked" to a single CPU core when inspecting packets inbound and E> outbound. I was wondering, how does that manifest when I look at "top E> -P" on the firewall? The pf isn't a process, so you can't see it in top. pf has some helper threads however, but packet processing isn't performed by any of them. The pf is kind of a library in kernel. The packets are processed by NIC interrupt handler threads, and these threads enter the library to perform packet filtering. Since in FreeBSD 8 this library is covered by a single lock (it isn't the Giant, but it is kind of "local pf giant"), processing is serialized - threads enter the library one by one, and they are blocked on enter in case if other thread already works inside. In FreeBSD 10 pf is no longer under single lock. On your hardware, I'd expect a measurable performance gain if you migrate to 10. -- Totus tuus, Glebius.