Date: Tue, 6 Jul 2010 23:28:30 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Jeremy Chadwick <freebsd@jdc.parodius.com> Cc: Max Laier <max@love2party.net>, David Warren <davideugenewarren@gmail.com>, freebsd-stable@freebsd.org Subject: Re: 8.0 network problem Message-ID: <20100706212830.GA63307@slackbox.erewhon.net> In-Reply-To: <20100706203222.GA68830@icarus.home.lan> References: <AANLkTin4l7-UzDQW04voF6Lf-vMaHhCrvXP39GGsmgKG@mail.gmail.com> <20100705055105.GA21681@icarus.home.lan> <AANLkTim5X6YSsbU-HFiUy6PPG_bf0_Hymd7q7ozOsHaD@mail.gmail.com> <AANLkTinDRYNiCef9V_qRv5Ge2DotVjQep6M3guUwx35E@mail.gmail.com> <20100706174155.GA56410@slackbox.erewhon.net> <20100706203222.GA68830@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 06, 2010 at 01:32:22PM -0700, Jeremy Chadwick wrote: > Back to the problem at hand: >=20 > I wonder if it's lack of "quick" on some rules which is causing the > problem; hard to say,=20 That would stop evaluation of further rules, sure. But it seems most of the rules concern the external interface. _Assuming_ that the samba clients are on the internal interface, it would m= ake sense to put the few rules concerning that interface as early as possible in the list of filter rules, and indeed add the quick keyword. Alternatively, one could consider adding this interface to the list of skip= ped interfaces. This would at least be useful for testing purposes, since it wo= uld preclude pf from processing packages on this interface. If this fixes the problem, there is some problem in the ruleset. > and I'm not sure how to "benchmark" pf. Looking at the output of 'pfctl -vvs rules' would be a start, I think. If t= he rules that are matched most are at the end of the filter rules, all previous rules are evaluated, AFAIK. For more info try 'pfctl -vvs all'. In the past I found it useful to set up a point-to-point connection between two FreeBSD machines, and then do some throughput measusrements using e.g. nc(1). Start with pf disabled, then enhance the ruleset rule-by-rule a= nd see if performance is influenced. A couple of years ago I did this, and IIRC the largest influence I could find was the type of ethernet adapter used. Can't find any notes from that experiment but I could repeat it if is deemed interesting. > Furthermore, remember that the OP can move to another NIC and the > problem goes away[1]. I know there have been issues in the past > reported with em(4) and pf ALTQ, but that isn't in use here. There are lots of other crappy ethernet adapters out there. E.g. re(4) and rl(4) tend to suck in my experience. Of course if the hardware was changed = but not the relevant filter rules, it would default to "pass". :-) Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iEYEARECAAYFAkwzn/4ACgkQEnfvsMMhpyXs8ACgrI84kATERqep69TTnd4QRYbE dMUAoI3QFzaV3zQiglfpOJuDgPk/+CDF =gizH -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100706212830.GA63307>