Upcoming release schedule - 8.4 ?

Damien Fleuriot ml at my.gd
Fri Jun 15 13:08:45 UTC 2012 

On 6/15/12 10:52 AM, Mark Linimon wrote:
> On Fri, Jun 15, 2012 at 10:16:30AM +0200, Damien Fleuriot wrote:
>> I'm thinking we might jump straight from 8.x to 10 when the time comes,
>> I'm really looking forward to Gleb's work on CARP and PF ;)
> 
> I don't know why you might think one .0 release would be more mature
> than another .0 release.  Maybe I'm misunderstanding.
> 

10.0 hasn't scared the hell out of me, yet, on the ml... :p


>> There are not many boxes I could try 9.0 on, because they're in
>> production with pfsync to conserve client sessions and I'm loath to
>> take risks with most of our firewalls.
> 
> This is where having one or more systems for development is key.
> 

My problem here is that the dev and preprod platforms are actively used
by our devs, which means that it costs us money if we have an outage.

I suppose I could try upgrading the backup box to 9.0 then swapping over
to it.

My main problem here is that we've got many machines to administer, on
top of the network and security, and there's just me and myself that
touch the firewalls.
It always comes down to time being short...


> Installations like yours are in a far better situation to test FreeBSD under
> realistic loads than are all but a few of the FreeBSD developers.  I would
> urge testing long before the leadup to a .0 release, not afterwards.
> 

I guess it couldn't hurt overmuch for me to test 9.0 on one of our
projects, I could update 1 of the 4 boxes to 9.0 and make it carp master.


If that goes well, 1-2 weeks later I could push 9.0 on another project
which uses 4 *active* firewalls.
This is a medium packet-rate [2][3] real life [1] project and could
yield interesting results for you guys.



@gleb
Are there any counter indications against running 8-STABLE and 9-STABLE
sets of firewalls with CARP and pfsync ?






[1]
Firewalls share 8 CARP IPs and are each master on 2 at a given time.
Firewalls use VLAN tagging over a link aggregation interface.
Firewalls use relayd to dynamically rdr packets to backend servers.

[2]
IRQs on broadcom NIC:
# vmstat -i
interrupt                          total       rate
irq9: acpi0                           22          0
irq20: uhci3                          20          0
irq21: uhci2 uhci4+                   25          0
cpu0: timer                   2089687121       2000
irq256: bce0                    33684311         32
irq257: bce1                  8636578820       8266

[3]
PF output:
Status: Enabled for 12 days 02:10:48          Debug: Urgent

Interface Stats for vlan20            IPv4             IPv6
  Bytes In                    522596420435                0
  Bytes Out                  5536513003172                0
  Packets In
    Passed                      4893000575                0
    Blocked                      144967803                0
  Packets Out
    Passed                      6005257543                0
    Blocked                         478378                0

State Table                          Total             Rate
  current entries                    16556
  searches                     22646986476        21679.1/s
  inserts                       1368370473         1309.9/s
  removals                      1368353917         1309.9/s
Counters
  match                         1650605688         1580.1/s

More information about the freebsd-hackers mailing list