Date: Fri, 19 Oct 2012 19:47:03 +0800 From: Zamri Besar <zam4ever@gmail.com> To: "Andrey V. Elsukov" <ae@freebsd.org> Cc: ipfw@freebsd.org, net@freebsd.org Subject: Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time Message-ID: <CAF0dOhHFVQ6tzMuT3j8q_A9KHpi9_PzCrmAezpvDqkSvWqTsPA@mail.gmail.com> In-Reply-To: <508138A4.5030901@FreeBSD.org> References: <508138A4.5030901@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 19, 2012 7:25 PM, "Andrey V. Elsukov" <ae@freebsd.org> wrote: > > Hi All, > > Many years ago i have already proposed this feature, but at that time > several people were against, because as they said, it could affect > performance. Now, when we have high speed network adapters, SMP kernel > and network stack, several locks acquired in the path of each packet, > and i have an ability to test this in the lab. > > So, i prepared the patch, that removes IPFIREWALL_FORWARD option from > the kernel and makes this functionality always build-in, but it is > turned off by default and can be enabled via the sysctl(8) variable > net.pfil.forward=1. > > http://people.freebsd.org/~ae/pfil_forward.diff > > Also we have done some tests with the ixia traffic generator connected > via 10G network adapter. Tests have show that there is no visible > difference, and there is no visible performance degradation. > > Any objections? > > -- > WBR, Andrey V. Elsukov > This is what I want many years ago too... ;) I vote for "yes"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF0dOhHFVQ6tzMuT3j8q_A9KHpi9_PzCrmAezpvDqkSvWqTsPA>