From owner-freebsd-pf@FreeBSD.ORG  Tue Oct  9 19:47:25 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 90A9F16A41A
	for <freebsd-pf@freebsd.org>; Tue,  9 Oct 2007 19:47:25 +0000 (UTC)
	(envelope-from m@obmail.net)
Received: from unclebob.obfuscated.net (stewie.obfuscated.net [69.8.202.125])
	by mx1.freebsd.org (Postfix) with ESMTP id 66D1513C48A
	for <freebsd-pf@freebsd.org>; Tue,  9 Oct 2007 19:47:25 +0000 (UTC)
	(envelope-from m@obmail.net)
Received: from [10.0.1.196] (pool-96-228-136-165.tampfl.fios.verizon.net
	[96.228.136.165]) (using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by unclebob.obfuscated.net (Postfix) with ESMTP id 5AD1E1700B
	for <freebsd-pf@freebsd.org>; Tue,  9 Oct 2007 15:19:58 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Transfer-Encoding: 7bit
Message-Id: <DD7C3199-BA7A-4845-B03E-DC3D5A83F356@obmail.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: freebsd-pf@freebsd.org
From: Michael Conlen <m@obmail.net>
Date: Tue, 9 Oct 2007 15:19:55 -0400
X-Mailer: Apple Mail (2.752.3)
Subject: PF in FreeBSD 5.3 versus 6.x
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2007 19:47:25 -0000

I've noticed at some point between 5.3 and 6.0 that PF seems to be  
dropping more packets than with 5.3 and there is increased deviation  
in latency. Using the same equipment handling about 25k PPS each way  
I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1%  
loss with FreeBSD 5.3.  Similarly the worst case response times for  
ICMP packets is much less in 5.3 than in either version of 6.

I'm using something pretty vanilla in terms of setup. No ALTQ support  
or features, no redirects, just a lot of blocking and allowing. The  
firewalls are using server class 3Com and Intel Gigabit (Fiber)  
cards. The changes were noticed going forward and undone by going  
back to FreeBSD 5.3 so I don't suspect physical problems at the moment.

My pf.conf is essentially a block in all followed by a block in quick  
against a table with 2000 entries, many of the /24 or /16 followed by  
pass rules to the various host:ports we allow.

If I login to the firewalls themselves and run mtr in each direction  
I don't see any traffic loss. It's only when crossing the firewalls.

Usage is about 25k packets per second and 100Mbit/sec 5 minute max  
traffic. The switches are Foundry SI-800g.

Also doing about 25k/sec searches with 400 inserts a second and 270  
removals and 407 matches/sec. The state table seems to run about  
70,000 to 90,000

Are there issues I should be aware of and should pf be able to handle  
this kind of load?

--
Michael Conlen