[RFC] Enabling IPFIREWALL_FORWARD in run-time
Andrey V. Elsukov
ae at FreeBSD.org
Fri Oct 19 11:25:39 UTC 2012
Hi All,
Many years ago i have already proposed this feature, but at that time
several people were against, because as they said, it could affect
performance. Now, when we have high speed network adapters, SMP kernel
and network stack, several locks acquired in the path of each packet,
and i have an ability to test this in the lab.
So, i prepared the patch, that removes IPFIREWALL_FORWARD option from
the kernel and makes this functionality always build-in, but it is
turned off by default and can be enabled via the sysctl(8) variable
net.pfil.forward=1.
http://people.freebsd.org/~ae/pfil_forward.diff
Also we have done some tests with the ixia traffic generator connected
via 10G network adapter. Tests have show that there is no visible
difference, and there is no visible performance degradation.
Any objections?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20121019/04548260/attachment.sig>
More information about the freebsd-net
mailing list