Firewall Profiling.
Alexander V. Chernikov
melifaro at FreeBSD.org
Tue Dec 27 11:37:15 UTC 2011
On 27.12.2011 04:54, Pawel Tyll wrote:
> Hi lists,
>
> Are there any profiling tools in the system or ports that would allow
> me to determine how much processing is being done per packet and how
> long does it take? I would like to predict possible PPS load for my
> system and perhaps locate and remove some bottlenecks.
>
> Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces
> without much latency increase, when running on modern hardware
> with Intel NICs? Majority of processing tasks would probably be setfib
> according to matches in tables.
IPFW seems to add more or less constant overhead per rule. In our setup,
~20 rules increase load by 100% (one core). We are able to reach 10GE
(1.1mpps) on some routers with most packets travelling 8-10 ipfw rules.
However, even with ipfw add 1 allow ip from any to any
1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
rtable only). YMMV, but 2x10G is too much at the moment even without ipfw.
>
> Pawel.
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
WBR, Alexander
More information about the freebsd-net
mailing list