From owner-freebsd-pf@FreeBSD.ORG Thu Jan 24 16:53:59 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B91C416A41A for ; Thu, 24 Jan 2008 16:53:59 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: from web33714.mail.mud.yahoo.com (web33714.mail.mud.yahoo.com [68.142.201.211]) by mx1.freebsd.org (Postfix) with SMTP id 75EE213C47E for ; Thu, 24 Jan 2008 16:53:59 +0000 (UTC) (envelope-from wearabnet@yahoo.ca) Received: (qmail 52720 invoked by uid 60001); 24 Jan 2008 16:27:18 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=U7oDE3puh6GbJ7FeaIIco3iHOWvf1ML9vK4FvxJ1inQoo9BT5LoMQsAiS1bvfB2IG4Vj2XAWzKA/kBShoVFlc5N5GeUdqVO8XLXPBAy+bZgMWGgnzHR2yjTk1XGeNhIQjjnEXNhBWtjwSM95vP7NWNyDgArbrEpyS0c/1MmBvvc=; X-YMail-OSG: 9Dt1Ya4VM1k95xwfjWxjvAYqEAchPI53TePyB11Uu8DplalFkqyHdnmQ4H0T3DzzdtCjHant7qaymZL51X.QRxz5yy88wu5qK.3pLU4Um0quOdo- Received: from [89.211.6.3] by web33714.mail.mud.yahoo.com via HTTP; Thu, 24 Jan 2008 08:27:18 PST X-Mailer: YahooMailRC/818.31 YahooMailWebService/0.7.160 Date: Thu, 24 Jan 2008 08:27:18 -0800 (PST) From: Abdullah Ibn Hamad Al-Marri To: Stefan Lambrev , freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <127299.50887.qm@web33714.mail.mud.yahoo.com> Cc: Subject: Re: PF makes em0 taskq to eat 100% CPU X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 16:53:59 -0000 ----- Original Message ---- > From: Stefan Lambrev > To: freebsd-pf@freebsd.org > Sent: Thursday, January 24, 2008 6:39:41 PM > Subject: PF makes em0 taskq to eat 100% CPU > > Hello, > > I'm doing some tests and benchmarks and I'm testing pf on > bridge > firewall. > One of the specific tests is how PF will handle SYN flood from random > source addresses. > While the bridge is w/o activated PF, I see 12-14MB/s traffic. > When I enable the PF the traffic drops to 2-5MB/s and I'm starting to > see lost packets. > > Here is what top -S shows when PF is not active: > 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0 > taskq - only 26% CPU used > > but when I enable PF it (em0 taskq) goes up to 100% and packets > are > lost. > > Here is the pf.conf used for tests: > > #macros > ext_if="em0" > int_if="em1" > br_if="bridge0" > > www="10.3.3.1" > > #sets > set skip on lo0 > set skip on $int_if > set skip on $br_if > set limit states 20000000 > set limit src-nodes 15000 > set optimization aggressive > > table persist file "/etc/abusive_hosts" > > block log quick from to any > block log quick from any to > > pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } > flags S/SA keep state \ > (source-track rule, max-src-conn-rate 150/10, max-src-states 250, > overload flush global) > > The number of states that I reach is little more then 2,000,000. > (20,000,000 is the limit that I enforce) > FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule > > Please advise. > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > Hello Stefan, What version of FreeBSD do you use and what arch? what is your CPU spec and what ram? Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/ ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs