From owner-freebsd-net@FreeBSD.ORG Tue Jan 27 18:03:20 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D10FF2C8 for ; Tue, 27 Jan 2015 18:03:20 +0000 (UTC) Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94D99E92 for ; Tue, 27 Jan 2015 18:03:20 +0000 (UTC) Received: by mail-oi0-f49.google.com with SMTP id a3so13580526oib.8 for ; Tue, 27 Jan 2015 10:03:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=dCYi+c1YUh6f49YmmgghummPgvLd3qyI69uNNzG1K4E=; b=jQ+sVnaxmWNH0srHm80Cnp1m4e9Kh5VNGyD8XNmkFvNtdbdOANhvTfZDkwPc4Qt9LJ kkLFJU4u3KNEEMCbPd9gQJaEiVuVlaGUMBE8B4oEDHZYGPasmy4nWGgyoPqQH6V/3d2O nNXsbMH3ul9W5xQ7VtS4J2Cu2GHJ9rse3fNGMig3Aw83L54iTJxfnPA/tebTpyk2coJd rABqI/0vnGo+LN4/bc+z4tJlrxuT4e1cY927F0zmpL8RiWztE29N2Hy18viSyJqjAuPJ I7rejbrGhDhjBlq6hrzc+MFQ5X/lMau7Mw6JgIcyy3W/3jqQ1uERlm8xt643RPSs85oJ O6kw== X-Gm-Message-State: ALoCoQlA4EXWFoY6x+OmIfR42chNE6QwKI65VU+cBsW5x+656q+f9p0zV87f3He4S50Sxp+I3kMk X-Received: by 10.202.90.139 with SMTP id o133mr1403033oib.99.1422381799042; Tue, 27 Jan 2015 10:03:19 -0800 (PST) Received: from ?IPv6:2610:160:11:33:956e:9562:4694:6bbf? ([2610:160:11:33:956e:9562:4694:6bbf]) by mx.google.com with ESMTPSA id r9sm940909obi.29.2015.01.27.10.03.18 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Jan 2015 10:03:18 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.1\)) Subject: Re: is polling still a thing? From: Jim Thompson In-Reply-To: <871tmgceup.fsf@marcos.anarc.at> Date: Tue, 27 Jan 2015 12:03:19 -0600 Message-Id: References: <871tmgceup.fsf@marcos.anarc.at> To: =?utf-8?Q?Antoine_Beaupr=C3=A9?= X-Mailer: Apple Mail (2.2070.1) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 18:03:20 -0000 > On Jan 27, 2015, at 11:28 AM, Antoine Beaupr=C3=A9 = wrote: >=20 > (Please CC, as i am not on the list.) >=20 > I was surprised to read this article in the pfSense blog: >=20 > https://blog.pfsense.org/?p=3D115 That article is from June 2007. It=E2=80=99s over seven years old. = Times change. > TLDR: "At this time, polling is not recommended at all.=E2=80=9D There are situations which warrant polling. > Is that true? I am trying to tweak a Supermicro machine as a router to > survive major DDOS attacks on a 1gbps link. So far, I can't get far > beyond the 100kpps and 50mbps mark. >=20 > The hardware is: >=20 > * 2xIntel E1G44HTBLK NICs Quad port i340 PCIe Nic (igb(4) driver) > * 1xIntel 1220LV2 CPU 2 core Ivy Bridge @ 2.3GHz > More detailed specs here: >=20 > https://wiki.koumbit.net/rtr1.koumbit.net = Says you=E2=80=99re running 9.3 The pf in 9.3 is single-threaded. > We are using a stateful pf firewall and polling on the network > interfaces. We got around 100kpps during the DDOS, with 700kpps = dropped > (or at least 700k/s errors) on the NIC. The DDOS was apparently = 5.5gbps > but around 400mbps reached our port from upstream's point of view. The > kernel interfaces counted around 50mbps: >=20 > https://redmine.koumbit.net/attachments/download/7706 > https://redmine.koumbit.net/attachments/download/7707 > https://redmine.koumbit.net/attachments/download/7708 > https://redmine.koumbit.net/attachments/download/7709 = These want a login/password to access. >=20 > The load on the router was fine during the DDOS, but of course packet > loss was endemic. >=20 > At this point, I'm considering the following options: >=20 > * switching to an Intel IGB nic You already have one. > * enabling fastforwarding typically a good idea. > * tweak the number of IGB queues >=20 > Any recommendations would be welcome. Have you considered FreeBSD 10.1? > Thanks! >=20 > A. >=20 > --=20 > feature, n: a documented bug | bug, n: an undocumented feature > - Mario S F Ferreira > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"