Date: Wed, 28 Dec 2011 02:04:07 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Mike Tancsa <mike@sentex.net> Cc: Pawel Tyll <ptyll@nitronet.pl>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Firewall Profiling. Message-ID: <4EFA40D7.60206@FreeBSD.org> In-Reply-To: <4EFA3F6F.9040404@sentex.net> References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <4EFA3F6F.9040404@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Mike Tancsa wrote: > On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote: >>> Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces >>> without much latency increase, when running on modern hardware >>> with Intel NICs? Majority of processing tasks would probably be setfib >>> according to matches in tables. >> IPFW seems to add more or less constant overhead per rule. In our setup, >> ~20 rules increase load by 100% (one core). We are able to reach 10GE >> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. >> However, even with ipfw add 1 allow ip from any to any >> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in >> rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. > > > Dont some of the modern 10G adapters support filtering in the card > itself ? eg cxgbe. We're using Intel 8259X, it supports hardware filtering (flow director and some other specific things like DCB) but: 1) Flow director is currently not supported (on FreeBSD) 2) There is no ipfw opcode compiler (however it seems that it's not too hard to write one).. 3) If ruleset is more or less optimized firewall is not the main CPU consumer. > > ---Mike > > > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk76QNoACgkQwcJ4iSZ1q2mnbQCgiVScHKonwfmyCiYIHM5W0Zx0 CRUAnRiV13bJ0nMuJz+qOCSNQMmi2zC9 =5lTC -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EFA40D7.60206>