From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 00:31:57 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB08961B for ; Tue, 9 Dec 2014 00:31:57 +0000 (UTC) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59836AC3 for ; Tue, 9 Dec 2014 00:31:57 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id l15so89705wiw.4 for ; Mon, 08 Dec 2014 16:31:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=t81VFDl3Tkdjg/rDbpg8kj4ufP8NbjoJvyEG/17yABA=; b=YVv/gwfNRGAgD1ZUbEeAn+eaYaMd/4yMbB3LsJ/obFSKLs/y2+J7C7aMm25UDX+D6D qD3rs/L8L3/h5yIilI0OLiNiQwQCJfmq/eaUtR+LOTU36OECXSZ8SyGozrUR/EkmN9Ig yxn6ujljEicUL2aFjYvVA+A67ueFODj2TittdFdO7DEQuEKOopV2AA/rmGN++toY35KC PwC1v1msqInt89g1RaWcuKtlj3OQcgFJNhWNKakGlvMiQrwGhB4FKmtI/mXCSJ3VyM7l dudJB33MAiqr09KV+dNOo3Z6XbeCgFW+TPsadFV8Wf3xU/qv+uunGlbsnjUoKCu4pM2c 6c4g== X-Received: by 10.180.218.39 with SMTP id pd7mr241862wic.21.1418085115774; Mon, 08 Dec 2014 16:31:55 -0800 (PST) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.194.61.98 with HTTP; Mon, 8 Dec 2014 16:31:35 -0800 (PST) In-Reply-To: References: <115251417993747@web27m.yandex.ru> <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Tue, 9 Dec 2014 01:31:35 +0100 X-Google-Sender-Auth: Cy4RCD-C56rSNNXpSY68IbqYJgU Message-ID: Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) To: Maxim Khitrov Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Martin Hanson , "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 00:31:58 -0000 On Mon, Dec 8, 2014 at 4:27 PM, Maxim Khitrov wrote: > On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson wrote: > > OpenBSD may eventually grow proper multicore support, but that is of > little concern to the FreeBSD project. It took FreeBSD years to get > proper multicore support, and I doubt > > OpenBSD gets there any faster. Nor have they started. This is bad news > for OpenBSD, because the world is now multicore, 1Gbps are common (I have > one to my house) and 10Gbps connections are increasingly common. > OpenBSD's "pf" doesn't even handle 1Gbps unless > > How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very > interested in that use case when I did my testing, so for me, OpenBSD > 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon > E3-1275v2. If I did the math right, that's ~0.35 Mpps: > > http://marc.info/?l=openbsd-misc&m=137600809910496&w=2 > > If your firewall's using Gbps link you should take care of supporting the maximum Gigabit Ethernet throughput of 1.488Mpps: It's too easy to DOS any kind of OpenBSD firewall with a simple user-land tool like src/tools/tools/netrate/netblast. You only need to generate about 700Kpps for an OpenBSD 5.4 (I didn't test more recent release). But the performance of a firewall isn't limited to the "forwarding performance" (and the unit is a throughput in Packet-per-second, not a bandwidth): There are lot's more parameters to take care of (cf RFC 3511 " Benchmarking Methodology for Firewall Performance"). Regards, Olivier