From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 15 13:08:45 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3640D106564A for ; Fri, 15 Jun 2012 13:08:45 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id B19BC8FC12 for ; Fri, 15 Jun 2012 13:08:44 +0000 (UTC) Received: by eeke49 with SMTP id e49so1053158eek.13 for ; Fri, 15 Jun 2012 06:08:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=4Qfe/oTR+HBVAMkaigeFxd484zMMGlLesFDfWmLwE48=; b=iKUrwsMaUKHyHORAQ6c44WMjLOmX61TMaDU6/Gc+EomSEga4W7aAt8FWlTSQSnNo/k TsP0s7ibBXMhZficuQv3n+dmPzv9IaENs1miBQPGP3fT3eiuRqVqi364NqKSGD3ZM9KH boh3QY3xTbTV9t667tTPBoUMrc7H2ENu9SfUdVVTYXPRAS/wZrju2YMT+tIrsXaLrzk+ iIxgh19BUGUzg2pU34mrn9yJTWaDjWNVog48DXZxp4YixEeuNdbbQuTABCRQAvX9eMnd WmtPPZ3hR7VagIhsLLqRfxLgOP1YEgiP8Xa5M9HKRQgFAt4B4dusqbj7AIekFadC8oxi qC1g== Received: by 10.14.100.205 with SMTP id z53mr1391820eef.39.1339765723494; Fri, 15 Jun 2012 06:08:43 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id o16sm30772863eeb.13.2012.06.15.06.08.41 (version=SSLv3 cipher=OTHER); Fri, 15 Jun 2012 06:08:42 -0700 (PDT) Message-ID: <4FDB33D8.3010208@my.gd> Date: Fri, 15 Jun 2012 15:08:40 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Mark Linimon , Gleb Smirnoff References: <4FD9A0E2.9010101@my.gd> <20120614144128.GB26121@lonesome.com> <96D1E708-FBBE-4E7F-B70A-4AA48EFD3268@my.gd> <4FDAEF5E.7090305@my.gd> <20120615085240.GA11343@lonesome.com> In-Reply-To: <20120615085240.GA11343@lonesome.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQm19Ik3aloIZj2Pin5tQCA9BzLr33jeOeJTLahIivYhoWyiwF+S4vxI+1ItlmowjCRWC84w Cc: "freebsd-hackers@freebsd.org" , Adrian Chadd Subject: Re: Upcoming release schedule - 8.4 ? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 13:08:45 -0000 On 6/15/12 10:52 AM, Mark Linimon wrote: > On Fri, Jun 15, 2012 at 10:16:30AM +0200, Damien Fleuriot wrote: >> I'm thinking we might jump straight from 8.x to 10 when the time comes, >> I'm really looking forward to Gleb's work on CARP and PF ;) > > I don't know why you might think one .0 release would be more mature > than another .0 release. Maybe I'm misunderstanding. > 10.0 hasn't scared the hell out of me, yet, on the ml... :p >> There are not many boxes I could try 9.0 on, because they're in >> production with pfsync to conserve client sessions and I'm loath to >> take risks with most of our firewalls. > > This is where having one or more systems for development is key. > My problem here is that the dev and preprod platforms are actively used by our devs, which means that it costs us money if we have an outage. I suppose I could try upgrading the backup box to 9.0 then swapping over to it. My main problem here is that we've got many machines to administer, on top of the network and security, and there's just me and myself that touch the firewalls. It always comes down to time being short... > Installations like yours are in a far better situation to test FreeBSD under > realistic loads than are all but a few of the FreeBSD developers. I would > urge testing long before the leadup to a .0 release, not afterwards. > I guess it couldn't hurt overmuch for me to test 9.0 on one of our projects, I could update 1 of the 4 boxes to 9.0 and make it carp master. If that goes well, 1-2 weeks later I could push 9.0 on another project which uses 4 *active* firewalls. This is a medium packet-rate [2][3] real life [1] project and could yield interesting results for you guys. @gleb Are there any counter indications against running 8-STABLE and 9-STABLE sets of firewalls with CARP and pfsync ? [1] Firewalls share 8 CARP IPs and are each master on 2 at a given time. Firewalls use VLAN tagging over a link aggregation interface. Firewalls use relayd to dynamically rdr packets to backend servers. [2] IRQs on broadcom NIC: # vmstat -i interrupt total rate irq9: acpi0 22 0 irq20: uhci3 20 0 irq21: uhci2 uhci4+ 25 0 cpu0: timer 2089687121 2000 irq256: bce0 33684311 32 irq257: bce1 8636578820 8266 [3] PF output: Status: Enabled for 12 days 02:10:48 Debug: Urgent Interface Stats for vlan20 IPv4 IPv6 Bytes In 522596420435 0 Bytes Out 5536513003172 0 Packets In Passed 4893000575 0 Blocked 144967803 0 Packets Out Passed 6005257543 0 Blocked 478378 0 State Table Total Rate current entries 16556 searches 22646986476 21679.1/s inserts 1368370473 1309.9/s removals 1368353917 1309.9/s Counters match 1650605688 1580.1/s