From owner-freebsd-pf@FreeBSD.ORG Mon Nov 10 09:31:43 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE0431065674 for ; Mon, 10 Nov 2008 09:31:43 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA02.westchester.pa.mail.comcast.net (qmta02.westchester.pa.mail.comcast.net [76.96.62.24]) by mx1.freebsd.org (Postfix) with ESMTP id 624848FC39 for ; Mon, 10 Nov 2008 09:31:43 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA06.westchester.pa.mail.comcast.net ([76.96.62.51]) by QMTA02.westchester.pa.mail.comcast.net with comcast id dMXT1a00616LCl052MXVDk; Mon, 10 Nov 2008 09:31:29 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA06.westchester.pa.mail.comcast.net with comcast id dMXh1a00N2P6wsM3SMXiPg; Mon, 10 Nov 2008 09:31:42 +0000 X-Authority-Analysis: v=1.0 c=1 a=6t4FfcucIIQA:10 a=tb0012eOZ7UA:10 a=QycZ5dHgAAAA:8 a=WTcsL0a13su-rhFRyOAA:9 a=WqHm2HDSeeP4pnaJgR3OPahuecUA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 7FB135C19; Mon, 10 Nov 2008 01:31:41 -0800 (PST) Date: Mon, 10 Nov 2008 01:31:41 -0800 From: Jeremy Chadwick To: Peter Maxwell Message-ID: <20081110093141.GA63259@icarus.home.lan> References: <1814bfe70811090137v39cd6434l49b545eb3b6eb88c@mail.gmail.com> <20081109112125.GA36707@icarus.home.lan> <1814bfe70811090544o28c29c5u185e3c0f2b8e85b4@mail.gmail.com> <7731938b0811090947j4796680cj7344ca3333c05779@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7731938b0811090947j4796680cj7344ca3333c05779@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: Blocking udp flood trafiic using pf, hints welcome X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2008 09:31:43 -0000 On Sun, Nov 09, 2008 at 05:47:54PM +0000, Peter Maxwell wrote: > ii) Ensure you're using a good NIC, the CPU offload abilities in Intel > (and I think Broadcom) cards can reduce the impact on CPU generally. I think (hope) what you're referring to are TSO, LRO, and TX/RX checksum offloading. Assuming you are, you should be aware of the following: * These features do not greatly reduce CPU usage; the impact is minimal. * Both TSO and TX/RX checksums are known to be buggy on many NICs, including some developed within the past year. I can refer you to many threads on -hardware, -current, and -stable discussing this fact, specifically from the driver authors themselves. Sometimes it's just rxcsum which is buggy, or just txcsum. I do not believe Broadcom or Intel NICs are affected by such issues, but regardless it's important users understand these features *can* lead to packet corruption on some NICs. * TX/RX checksum offloading often confuse users who use tcpdump or Wireshark -- "why are all of my packets showing checksum errors??!" being a common question even today. It often leads users on a wild goose chase, thinking those messages indicate the source of their problems If you weren't referring to these features, what were you referring to? I'm curious to know. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |