Firewall Profiling.
Mike Tancsa
mike at sentex.net
Tue Dec 27 21:58:16 UTC 2011
On 12/27/2011 6:36 AM, Alexander V. Chernikov wrote:
>> Is IPFW efficient enough to firewall 2x10GE (in+out) interfaces
>> without much latency increase, when running on modern hardware
>> with Intel NICs? Majority of processing tasks would probably be setfib
>> according to matches in tables.
> IPFW seems to add more or less constant overhead per rule. In our setup,
> ~20 rules increase load by 100% (one core). We are able to reach 10GE
> (1.1mpps) on some routers with most packets travelling 8-10 ipfw rules.
> However, even with ipfw add 1 allow ip from any to any
> 1.1 mpps routing utilizes E5645 by more that 80%. (with IGP routes in
> rtable only). YMMV, but 2x10G is too much at the moment even without ipfw.
Dont some of the modern 10G adapters support filtering in the card
itself ? eg cxgbe.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-net
mailing list