From owner-freebsd-pf@FreeBSD.ORG Wed Mar 25 00:22:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 285D31065673 for ; Wed, 25 Mar 2009 00:22:23 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (wooster.rojer.pp.ru [80.68.242.188]) by mx1.freebsd.org (Postfix) with ESMTP id 7D5AA8FC0C for ; Wed, 25 Mar 2009 00:22:22 +0000 (UTC) (envelope-from myself@rojer.pp.ru) Received: from wooster.rojer.pp.ru (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTP id 9CE5D11468; Wed, 25 Mar 2009 03:22:20 +0300 (MSK) X-Spam-Checker-Version: SpamAssassin 3.2.5-rojer (2008-06-10) on wooster.rojer.pp.ru X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5-rojer Received: from [127.0.0.1] (localhost [127.0.0.1]) by wooster.rojer.pp.ru (Postfix) with ESMTPA id 13C401144E; Wed, 25 Mar 2009 03:22:14 +0300 (MSK) Message-ID: <49C97936.6020208@rojer.pp.ru> Date: Wed, 25 Mar 2009 00:22:14 +0000 From: Deomid Ryabkov User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: Max Laier References: <49C96933.4030901@rojer.pp.ru> <200903250107.36160.max@love2party.net> In-Reply-To: <200903250107.36160.max@love2party.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050706020307040607080008" Cc: freebsd-pf@freebsd.org Subject: Re: 8.0-CURRENT: having pf enabled without any rules impacts forwarding performance X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2009 00:22:23 -0000 This is a cryptographically signed message in MIME format. --------------ms050706020307040607080008 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Max Laier wrote: > On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote: > >> i have a machine with nc running through it. >> with pf disabled, i see 960-970 mbit/s through it (as reported by systat >> -ifstat). >> just having pf enabled, with empty ruleset: >> >> # pfctl -vs nat >> # pfctl -vs rules >> # >> >> reduces throughput to about 700 mbit. >> this seems wrong. any ideas why this might be happening? >> > > You have to search the (empty) ruleset for the (implicit) default "pass all" > rule. This is somewhat expensive. Then there is the pf mutex (quite > expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a > single, global lock and thus reduces the opportunity for parallelism. > > thanks for explanation, Max. further data point: ruleset with 8 nat rules that never match (but have to be checked) chops off further ~50 mbit. that i'm less worried about, but the initial hit for just enabling filtering does worry me quite a bit. is there anything to be done about that? is anything being done? or planned? [hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel PRO/1000 PT] >> OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 >> >> thanks. >> > > -- Deomid Ryabkov aka Rojer myself@rojer.pp.ru rojer@sysadmins.ru ICQ: 8025844 --------------ms050706020307040607080008 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPTCC AvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcxNTE3NDkxNloX DTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMGRGVvbWlkMRcw FQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxmQHJvamVyLnBw LnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabcOpdLU8lsmBVG fsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0N+VDqLyC+7vY jrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wiOPECh39AxYzK Ftq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/jtEAmhiirno4 jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtFmB/F52bjP3MN rNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJteXNlbGZAcm9q ZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH7bvujC+a0dZ0 QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn/6awQDu/o3LG zS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyLqfFC5e6lAlXE AjudFAiiuTCCAvkwggJioAMCAQICEBU0d5vkMul3H0so5LmMhJ0wDQYJKoZIhvcNAQEFBQAw YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDcx NTE3NDkxNloXDTA5MDcxNTE3NDkxNlowXzEQMA4GA1UEBBMHUnlhYmtvdjEPMA0GA1UEKhMG RGVvbWlkMRcwFQYDVQQDEw5EZW9taWQgUnlhYmtvdjEhMB8GCSqGSIb3DQEJARYSbXlzZWxm QHJvamVyLnBwLnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7usCPVDCUabc OpdLU8lsmBVGfsdPgzxaK6b2BDXXuIWIvih2Au6S040DFYB8Z9qj50oVsrrxnOBBG4hdJIC0 N+VDqLyC+7vYjrFY3WFQxKmxKsQGwJJ632lf/ngEy98ROjwZk9lCK6EqpQ4pHTXznD8S27wi OPECh39AxYzKFtq/9rBpp3jB/f2bqyVHk2E+6K+eDUyH01+C7k8v0FiYzIONU0P3jntRyw7/ jtEAmhiirno4jfRW1t/exTc+NlgK9WwHhjnxluwvvgOebd4SmWJ7zmddj92ROuVP764NBAtF mB/F52bjP3MNrNaQsIcLHttkMSLQu836sE2Wj3xQCwIDAQABoy8wLTAdBgNVHREEFjAUgRJt eXNlbGZAcm9qZXIucHAucnUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQBCT6FH 7bvujC+a0dZ0QM7vLb5cO7UUj2mV365xyYu70tDAOkxuvYCWKiLoTw5/wPgRs4kB/TqZMrHn /6awQDu/o3LGzS9up9CUeOoY6cER3OmJJXY3HhZxEbkA5ItlApTrfToGW61OH62bhE5WbFyL qfFC5e6lAlXEAjudFAiiuTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2 oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIIDbQIBATB2 MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQFTR3m+Qy 6XcfSyjkuYyEnTAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0wOTAzMjUwMDIyMTRaMCMGCSqGSIb3DQEJBDEWBBQMb1WzEyt9t5j5 BSbLf2XfAGhtvzBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw gYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25z dWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ c3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5jISdMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAVNHeb5DLpdx9LKOS5 jISdMA0GCSqGSIb3DQEBAQUABIIBABKzt9D6SuOV6sdTvVc4+QfWm9uotegVOHLqyhjmc6pL cMaiflyLV4napDCXVkpGX8SoB8KXblGhcKF+EJLgECXPvHcnevctkDWYxbsfv4rvvZD53L62 tnSvX66gsU52XvcUfUiFTfGem+C4jb9rlJTosVmMu4mBlIzdzjkaE3fJTOeSXW5T7ldl0qJB eu8Piv/CmTYPa1o2AXzdERjV8hEvwkKqoz9g1gvvQXDoroZjkWfjY1ueEVzs6lSuzo4GqKjm KjUrVuQpZwww0UMLg4fL2Yusv1/n5y4JJtziag3c3C3cg4qY0/bgNd/IYUyIQmVCBDQoq6kV 8t5dweL+n3sAAAAAAAA= --------------ms050706020307040607080008--