ipfw verrevpath performance broken in 9.2
Denis V. Klimkov
falcon at tcm.by
Fri Dec 27 06:43:42 UTC 2013
Hello Freebsd-net,
Recently upgraded router system from 9.0-RELEASE to 9.2-STABLE and
got 100% CPU utilisation on all cores with interrupts under the same
load that had about 25-30% CPU utilisation before. Of course that lead
to high latency (about 400 ms and packet loss).
Load reduced immediately after I removed all ipfw antispoofing rules with
"verrevpath":
11010 3659429 430047150 deny ip from any to any not verrevpath in via vlan6
11020 719931 58619220 deny ip from any to any not verrevpath in via vlan7
11025 68141 5144481 deny ip from any to any not verrevpath in via vlan8
11030 202144 6785732 deny ip from any to any not verrevpath in via vlan9
11040 171291 56196945 deny ip from any to any not verrevpath in via vlan10
11045 291914032 39427773226 deny ip from any to any not verrevpath in via vlan11
11060 6102962 441745213 deny ip from any to any not verrevpath in via vlan15
11070 4832442 1259880158 deny ip from any to any not verrevpath in via vlan16
11080 814769 95745079 deny ip from any to any not verrevpath in via vlan17
11101 2901098 628552748 deny ip from any to any not verrevpath in via vlan26
11102 1264750 146468688 deny ip from any to any not verrevpath in via vlan27
11110 902441 294155831 deny ip from any to any not verrevpath in via vlan21
11120 628324 31060933 deny ip from any to any not verrevpath in via vlan23
11130 1381 83245 deny ip from any to any not verrevpath in via vlan24
11138 4258607 3389925416 deny ip from any to any not verrevpath in via vlan31
11150 56 2792 deny ip from any to any not verrevpath in via vlan40
Is there a way to fix verrevpath performance issue in 9.2 and futher?
There is no problem to remove this rules on this system, but I also
have 2 systems running MPD with about 2000 PPPoE ng interfaces with
very handy ipfw rule "deny ip from any to any not verrevpath in via
ng*".
---
Denis V. Klimkov
More information about the freebsd-net
mailing list