From owner-freebsd-hackers Thu Jan 16 16:37:27 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D06C37B401 for ; Thu, 16 Jan 2003 16:37:26 -0800 (PST) Received: from mail.iskon.hr (inje.iskon.hr [213.191.128.16]) by mx1.FreeBSD.org (Postfix) with SMTP id 4C5AA43F3F for ; Thu, 16 Jan 2003 16:37:24 -0800 (PST) (envelope-from zec@tel.fer.hr) Received: (qmail 8291 invoked from network); 17 Jan 2003 01:37:10 +0100 Received: from zg05-106.dialin.iskon.hr (HELO tel.fer.hr) (213.191.138.107) by mail.iskon.hr with SMTP; 17 Jan 2003 01:37:10 +0100 Message-ID: <3E27503B.B486731C@tel.fer.hr> Date: Fri, 17 Jan 2003 01:37:15 +0100 From: Marko Zec X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Terry Lambert Cc: Josh Brooks , Matthew Dillon , Nate Williams , freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116143937.F38599-100000@mail.econolodgetulsa.com> <3E274857.DD53F361@mindspring.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Terry Lambert wrote: > Josh Brooks wrote: > > You know, I keep hearing this ... the machine is a 500 mhz p3 celeron with > > 256 megs ram ... and normally `top` says it is at about 80% idle, and > > everything is wonderful - but when someone shoves 12,000-15,000 packets > > per second down its throat, it chokes _hard_. You think that optimizing > > my ruleset will change that ? Or does 15K p/s choke any freebsd+ipfw > > firewall with 1-200 rules running on it ? > > No I'm just plain confused... 15,000 packets/second is just not > that much load: > > Minisize 15000 * 64B * 8b = 7,680,000b/S > ...just less than 10 megabits/second. > > Maxsize 15000 * 1500B * 8b = 180,000,000b/S > ...just less than 200 megabits/second. > > I don't understand where you are spending your CPU time, even > if the packets are being written to disk before they are sent > on... At 20.000 pps you have only 50 usec for forwarding each packet, without doing any other work on the system. With 500 MHz CPU this translates to 25.000 clock cycles per packet. Subtract some general interrupt and IP processing overhead, divide that by 200 ipfw rules, and you are left with only around 100 clock cycles per ipfw rule. Having in mind you are running on a system with a limited CPU cache, you'll certainly wait a lot for accessing the code/data in RAM, it's clear that this is becomes an impossible mission. So, obviously you don't need any ruleset "loops" as you are suggesting for such configuration to livelock... Marko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message