From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 27 12:43:40 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F7691065673; Tue, 27 Dec 2011 12:43:40 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5D3E68FC08; Tue, 27 Dec 2011 12:43:40 +0000 (UTC) Received: by iadj38 with SMTP id j38so24755102iad.13 for ; Tue, 27 Dec 2011 04:43:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DeeF4yYcO5bv+3PeTXP4UbaASpcPgbmfOvXb2pt/umY=; b=fFlBnUgCn/CKDDxtLXPc1H2IkAJxPuNZtgwq+oc/+Ia3VO9Ut5yrIqv0IZnfxiLSak JJbTtzQx+XiXNVo23HAYEgexvVjyNPWOfm05CqtxHNXY8B6a79ohhMXpoWBE4aqnRYg7 GngCbQvT0/5UcQddMiMqARJdZA/dbCv+OCcZA= MIME-Version: 1.0 Received: by 10.50.190.201 with SMTP id gs9mr31425509igc.1.1324987970121; Tue, 27 Dec 2011 04:12:50 -0800 (PST) Received: by 10.231.41.206 with HTTP; Tue, 27 Dec 2011 04:12:50 -0800 (PST) In-Reply-To: <4EF9ADBC.8090402@FreeBSD.org> References: <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> Date: Tue, 27 Dec 2011 14:12:50 +0200 Message-ID: From: Sami Halabi To: "Alexander V. Chernikov" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Pawel Tyll , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Firewall Profiling. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2011 12:43:40 -0000 Hi, do you use dummynet? what is the server hardware configuration and tunings you did to acheive 10Gbps ? Sami On Tue, Dec 27, 2011 at 1:36 PM, Alexander V. Chernikov < melifaro@freebsd.org> wrote: > On 27.12.2011 04:54, Pawel Tyll wrote: > >> Hi lists, >> >> Are there any profiling tools in the system or ports that would allow >> me to determine how much processing is being done per packet and how >> long does it take? I would like to predict possible PPS load for my >> system and perhaps locate and remove some bottlenecks. >> >> Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces >> without much latency increase, when running on modern hardware >> with Intel NICs? Majority of processing tasks would probably be setfib >> according to matches in tables. >> > IPFW seems to add more or less constant overhead per rule. In our setup, > ~20 rules increase load by 100% (one core). We are able to reach 10GE > (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules. > However, even with ipfw add 1 allow ip from any to any > 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in > rtable only). YMMV, but 2x10G is too much at the moment even without ipfw. > > >> Pawel. >> >> >> ______________________________**_________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@**freebsd.org >> " >> >> > > -- > WBR, Alexander > ______________________________**_________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@**freebsd.org > " > -- Sami Halabi Information Systems Engineer NMS Projects Expert