Date: Wed, 25 Mar 2009 00:22:14 +0000 From: Deomid Ryabkov <myself@rojer.pp.ru> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance Message-ID: <49C97936.6020208@rojer.pp.ru> In-Reply-To: <200903250107.36160.max@love2party.net> References: <49C96933.4030901@rojer.pp.ru> <200903250107.36160.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms050706020307040607080008 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Max Laier wrote: > On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > >> i have a machine with nc running through it. >> with pf disabled, i see 960-970 mbit/s through it (as reported by systat >> -ifstat). >> just having pf enabled, with empty ruleset: >> >> # pfctl -vs nat >> # pfctl -vs rules >> # >> >> reduces throughput to about 700 mbit. >> this seems wrong. any ideas why this might be happening? >> > > You have to search the (empty) ruleset for the (implicit) default "pass all" > rule. This is somewhat expensive. Then there is the pf mutex (quite > expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a > single, global lock and thus reduces the opportunity for parallelism. > > thanks for explanation, Max. further data point: ruleset with 8 nat rules that never match (but have to be checked) chops off further ~50 mbit. that i'm less worried about, but the initial hit for just enabling filtering does worry me quite a bit. is there anything to be done about that? is anything being done? or planned? [hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel PRO/1000 PT] >> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 >> >> thanks. >> > > -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 --------------ms050706020307040607080008 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPTCC AvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcxNTE3NDkxNloX DTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMGRGVvbWlkMRcw FQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxmQHJvamVyLnBw LnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabcOpdLU8lsmBVG fsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0N+VDqLyC+7vY jrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wiOPECh39AxYzK Ftq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/jtEAmhiirno4 jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtFmB/F52bjP3MN rNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJteXNlbGZAcm9q ZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH7bvujC+a0dZ0 QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn/6awQDu/o3LG zS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyLqfFC5e6lAlXE AjudFAiiuTCCAvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAw YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcx NTE3NDkxNloXDTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMG RGVvbWlkMRcwFQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxm QHJvamVyLnBwLnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabc OpdLU8lsmBVGfsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0 N+VDqLyC+7vYjrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wi OPECh39AxYzKFtq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/ jtEAmhiirno4jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtF mB/F52bjP3MNrNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJt eXNlbGZAcm9qZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH 7bvujC+a0dZ0QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn /6awQDu/o3LGzS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyL qfFC5e6lAlXEAjudFAiiuTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2 oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIIDbQIBATB2 MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQFTR3m+Qy 6XcfSyjkuYyEnTAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0wOTAzMjUwMDIyMTRaMCMGCSqGSIb3DQEJBDEWBBQMb1WzEyt9t5j5 BSbLf2XfAGhtvzBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw gYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z dWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5jISdMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5 jISdMA0GCSqGSIb3DQEBAQUABIIBABKzt9D6SuOV6sdTvVc4+QfWm9uotegVOHLqyhjmc6pL cMaiflyLV4napDCXVkpGX8SoB8KXblGhcKF+EJLgECXPvHcnevctkDWYxbsfv4rvvZD53L62 tnSvX66gsU52XvcUfUiFTfGem+C4jb9rlJTosVmMu4mBlIzdzjkaE3fJTOeSXW5T7ldl0qJB eu8Piv/CmTYPa1o2AXzdERjV8hEvwkKqoz9g1gvvQXDoroZjkWfjY1ueEVzs6lSuzo4GqKjm KjUrVuQpZwww0UMLg4fL2Yusv1/n5y4JJtziag3c3C3cg4qY0/bgNd/IYUyIQmVCBDQoq6kV 8t5dweL+n3sAAAAAAAA= --------------ms050706020307040607080008--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49C97936.6020208>