Date: Tue, 9 Dec 2014 01:31:35 +0100 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: Maxim Khitrov <max@mxcrypt.com> Cc: Martin Hanson <greencoppermine@yandex.com>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP) Message-ID: <CA%2Bq%2BTcrHyu0_gXygPY2F_22mPrMj42_HJE_gfi9xRMbBR8mskw@mail.gmail.com> In-Reply-To: <CAJcQMWc_wPXKF0bZ2t0gsDFCPSy4EjDULFYtuS5P6Wbr2HtAqw@mail.gmail.com> References: <115251417993747@web27m.yandex.ru> <75F1B874-8BF5-4500-A9EB-9A6E3F90C3F2@netgate.com> <CAJcQMWc_wPXKF0bZ2t0gsDFCPSy4EjDULFYtuS5P6Wbr2HtAqw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 8, 2014 at 4:27 PM, Maxim Khitrov <max@mxcrypt.com> wrote: > On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson <jim@netgate.com> wrote: > > OpenBSD may eventually grow proper multicore support, but that is of > little concern to the FreeBSD project. It took FreeBSD years to get > proper multicore support, and I doubt > > OpenBSD gets there any faster. Nor have they started. This is bad news > for OpenBSD, because the world is now multicore, 1Gbps are common (I have > one to my house) and 10Gbps connections are increasingly common. > OpenBSD's "pf" doesn't even handle 1Gbps unless > > How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very > interested in that use case when I did my testing, so for me, OpenBSD > 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon > E3-1275v2. If I did the math right, that's ~0.35 Mpps: > > http://marc.info/?l=openbsd-misc&m=137600809910496&w=2 > > If your firewall's using Gbps link you should take care of supporting the maximum Gigabit Ethernet throughput of 1.488Mpps: It's too easy to DOS any kind of OpenBSD firewall with a simple user-land tool like src/tools/tools/netrate/netblast. You only need to generate about 700Kpps for an OpenBSD 5.4 (I didn't test more recent release). But the performance of a firewall isn't limited to the "forwarding performance" (and the unit is a throughput in Packet-per-second, not a bandwidth): There are lot's more parameters to take care of (cf RFC 3511 " Benchmarking Methodology for Firewall Performance"). Regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcrHyu0_gXygPY2F_22mPrMj42_HJE_gfi9xRMbBR8mskw>