Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Sep 2013 11:18:38 +0200
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        h bagade <bagadeh@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: impact of disabling firewall on performance?
Message-ID:  <CA%2BhQ2%2Bh-2eEDHwAgBeO04yWn4SvcspOfujrZ1qBVPiN8syP90A@mail.gmail.com>
In-Reply-To: <20130918175406.B1460@sola.nimnet.asn.au>
References:  <CAARSjE07M92tFmQkXPbN4_5b_eXseiYekZHkL=0b6UOK-qtixA@mail.gmail.com> <20130918175406.B1460@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith <smithi@nimnet.asn.au> wrote:

> On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote:
>  > Hi all,
>  >
>  > I've heard that disabling firewall with commands or setting related
> sysctl
>  > parameter wouldn't increase performance and still firewalls participate
> in
>  > forwarding process. The only way to reach a better performance is making
>  > firewall modules to being loaded dynamically and thereafter unloading
>  > firewall modules!
>
> Where exactly did you hear that?
>
>  > I want to know is it right? and if so, why it should be like this?
>
> The difference between not invoking a firewall at all and invoking one
> with a single 'pass all' rule would be fairly difficult to measure per
> packet.  If your firewall is a bottleneck you likely have larger issues.
>

well...
unloading or disabling the firewall with a sysctl is likely
exactly the same in terms of performance -- it's just
something like

    if (firewall_loaded || firewall_enabled) {
         invoke_firewall(...);
    }

However, executing the firewall with a single pass rule consumes
some significant amount of time, see
http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf
(those numbers are from 2009 and i measured about 400ns;
recent measurements with ipfw-over-netmap on a fast i7
give about 100ns per packet).

This is definitely measurable.

cheers
luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BhQ2%2Bh-2eEDHwAgBeO04yWn4SvcspOfujrZ1qBVPiN8syP90A>