Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Dec 2011 16:58:07 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        "Alexander V. Chernikov" <melifaro@freebsd.org>
Cc:        Pawel Tyll <ptyll@nitronet.pl>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   Re: Firewall Profiling.
Message-ID:  <4EFA3F6F.9040404@sentex.net>
In-Reply-To: <4EF9ADBC.8090402@FreeBSD.org>
References:  <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote:
>> Is  IPFW  efficient  enough  to  firewall  2x10GE  (in+out) interfaces
>> without  much  latency  increase,  when  running  on  modern  hardware
>> with Intel NICs? Majority of processing tasks would probably be setfib
>> according to matches in tables.
> IPFW seems to add more or less constant overhead per rule. In our setup,
> ~20 rules increase load by 100% (one core).  We are able to reach 10GE
> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules.
> However, even with ipfw add 1 allow ip from any to any
> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
> rtable only). YMMV, but 2x10G is too much at the moment even without ipfw.


Dont some of the modern 10G adapters support filtering in the card
itself ?  eg cxgbe.

	---Mike



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EFA3F6F.9040404>