From owner-freebsd-net@FreeBSD.ORG Wed Sep 18 09:18:41 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5EC607A0 for ; Wed, 18 Sep 2013 09:18:41 +0000 (UTC) (envelope-from rizzo.unipi@gmail.com) Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C75D02B41 for ; Wed, 18 Sep 2013 09:18:40 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id ea20so5362714lab.41 for ; Wed, 18 Sep 2013 02:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=qzgIi+RRSorEeB7+lbtmcOlCr+cRPNk2sp0clt51XKQ=; b=Bj4a/Fj9cwmZWjM0eSNHAY/MvsiQFh+lcr4HLqylHEzFvoTXA3TsfUryGpGCHqSXhQ PbXR0K2msFo/A4aCu5+Ud9LmL3amFxUODJRVCZkI6upaPmxmSHs8aIJO87rtaA3DpVK1 gWcZuBi0tz8coEdKiHX4mDqkaBZ0hna9C0+1BeoCPuVXUSOrIzFzTMZYp4EVPbMw3ilQ S3Voc67W1Cg55BGM7qLcNfYys7uafD8SpYnJPUyKFqZttEg/uIAERVhdzOPMuLx4mDX0 1LvHEZ3QkLvGnpIkhEqRbcx+mv75RnKB9UjCrwr1UJZfHuzHpCepBFx0j4LbeWk7GtTM WKJQ== MIME-Version: 1.0 X-Received: by 10.112.190.1 with SMTP id gm1mr5867471lbc.30.1379495918767; Wed, 18 Sep 2013 02:18:38 -0700 (PDT) Sender: rizzo.unipi@gmail.com Received: by 10.114.200.165 with HTTP; Wed, 18 Sep 2013 02:18:38 -0700 (PDT) In-Reply-To: <20130918175406.B1460@sola.nimnet.asn.au> References: <20130918175406.B1460@sola.nimnet.asn.au> Date: Wed, 18 Sep 2013 11:18:38 +0200 X-Google-Sender-Auth: J3l6Pe9xPTnWwRMt7PuJlStGcDY Message-ID: Subject: Re: impact of disabling firewall on performance? From: Luigi Rizzo To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: h bagade , "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Sep 2013 09:18:41 -0000 On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith wrote: > On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote: > > Hi all, > > > > I've heard that disabling firewall with commands or setting related > sysctl > > parameter wouldn't increase performance and still firewalls participate > in > > forwarding process. The only way to reach a better performance is making > > firewall modules to being loaded dynamically and thereafter unloading > > firewall modules! > > Where exactly did you hear that? > > > I want to know is it right? and if so, why it should be like this? > > The difference between not invoking a firewall at all and invoking one > with a single 'pass all' rule would be fairly difficult to measure per > packet. If your firewall is a bottleneck you likely have larger issues. > well... unloading or disabling the firewall with a sysctl is likely exactly the same in terms of performance -- it's just something like if (firewall_loaded || firewall_enabled) { invoke_firewall(...); } However, executing the firewall with a single pass rule consumes some significant amount of time, see http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf (those numbers are from 2009 and i measured about 400ns; recent measurements with ipfw-over-netmap on a fast i7 give about 100ns per packet). This is definitely measurable. cheers luigi