Firewall Profiling.
Pawel Tyll
ptyll at nitronet.pl
Tue Dec 27 14:01:22 UTC 2011
> IPFW seems to add more or less constant overhead per rule. In our setup,
> ~20 rules increase load by 100% (one core). We are able to reach 10GE
> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules.
> However, even with ipfw add 1 allow ip from any to any
> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
> rtable only). YMMV, but 2x10G is too much at the moment even without ipfw.
Does this include jumbo-frames? 1.1 mpps is far from 10gbit with
standard Internet 1500-byte traffic, unless you meant 11.1 mpps :)
Are there any plans or hopes for efficiency increase? Something like
netmap? (http://info.iet.unipi.it/~luigi/netmap/)
More information about the freebsd-net
mailing list