Date: Tue, 27 Jan 2015 12:03:19 -0600 From: Jim Thompson <jim@netgate.com> To: =?utf-8?Q?Antoine_Beaupr=C3=A9?= <anarcat@koumbit.org> Cc: freebsd-net@FreeBSD.org Subject: Re: is polling still a thing? Message-ID: <A32D80F3-9D34-4136-A870-B28582F6EAA0@netgate.com> In-Reply-To: <871tmgceup.fsf@marcos.anarc.at> References: <871tmgceup.fsf@marcos.anarc.at>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jan 27, 2015, at 11:28 AM, Antoine Beaupr=C3=A9 = <anarcat@koumbit.org> wrote: >=20 > (Please CC, as i am not on the list.) >=20 > I was surprised to read this article in the pfSense blog: >=20 > https://blog.pfsense.org/?p=3D115 <https://blog.pfsense.org/?p=3D115> That article is from June 2007. It=E2=80=99s over seven years old. = Times change. > TLDR: "At this time, polling is not recommended at all.=E2=80=9D There are situations which warrant polling. > Is that true? I am trying to tweak a Supermicro machine as a router to > survive major DDOS attacks on a 1gbps link. So far, I can't get far > beyond the 100kpps and 50mbps mark. >=20 > The hardware is: >=20 > * 2xIntel E1G44HTBLK NICs Quad port i340 PCIe Nic (igb(4) driver) > * 1xIntel 1220LV2 CPU 2 core Ivy Bridge @ 2.3GHz > More detailed specs here: >=20 > https://wiki.koumbit.net/rtr1.koumbit.net = <https://wiki.koumbit.net/rtr1.koumbit.net> Says you=E2=80=99re running 9.3 The pf in 9.3 is single-threaded. > We are using a stateful pf firewall and polling on the network > interfaces. We got around 100kpps during the DDOS, with 700kpps = dropped > (or at least 700k/s errors) on the NIC. The DDOS was apparently = 5.5gbps > but around 400mbps reached our port from upstream's point of view. The > kernel interfaces counted around 50mbps: >=20 > https://redmine.koumbit.net/attachments/download/7706 > https://redmine.koumbit.net/attachments/download/7707 > https://redmine.koumbit.net/attachments/download/7708 > https://redmine.koumbit.net/attachments/download/7709 = <https://redmine.koumbit.net/attachments/download/7709> These want a login/password to access. >=20 > The load on the router was fine during the DDOS, but of course packet > loss was endemic. >=20 > At this point, I'm considering the following options: >=20 > * switching to an Intel IGB nic You already have one. > * enabling fastforwarding typically a good idea. > * tweak the number of IGB queues >=20 > Any recommendations would be welcome. Have you considered FreeBSD 10.1? > Thanks! >=20 > A. >=20 > --=20 > feature, n: a documented bug | bug, n: an undocumented feature > - Mario S F Ferreira <lioux@FreeBSD.org> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A32D80F3-9D34-4136-A870-B28582F6EAA0>