From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 15:56:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17D5916A418 for ; Thu, 24 Jan 2008 15:56:24 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id C981013C46A for ; Thu, 24 Jan 2008 15:56:23 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 799421B10EF4; Thu, 24 Jan 2008 16:39:47 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from hater.haters.org (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 60B441B10EF0 for ; Thu, 24 Jan 2008 16:39:41 +0100 (CET) Message-ID: <4798B13D.4080701@moneybookers.com> Date: Thu, 24 Jan 2008 17:39:41 +0200 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.9 (X11/20071120) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/5544/Thu Jan 24 12:02:44 2008 on blah.cmotd.com X-Virus-Status: Clean Subject: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 15:56:24 -0000 Hello, I'm doing some tests and benchmarks and I'm testing pf on bridge firewall. One of the specific tests is how PF will handle SYN flood from random source addresses. While the bridge is w/o activated PF, I see 12-14MB/s traffic. When I enable the PF the traffic drops to 2-5MB/s and I'm starting to see lost packets. Here is what top -S shows when PF is not active: 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0 taskq - only 26% CPU used but when I enable PF it (em0 taskq) goes up to 100% and packets are lost. Here is the pf.conf used for tests: #macros ext_if="em0" int_if="em1" br_if="bridge0" www="10.3.3.1" #sets set skip on lo0 set skip on $int_if set skip on $br_if set limit states 20000000 set limit src-nodes 15000 set optimization aggressive table persist file "/etc/abusive_hosts" block log quick from to any block log quick from any to pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } flags S/SA keep state \ (source-track rule, max-src-conn-rate 150/10, max-src-states 250, overload flush global) The number of states that I reach is little more then 2,000,000. (20,000,000 is the limit that I enforce) FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule Please advise. -- Best Wishes, Stefan Lambrev ICQ# 24134177