impact of disabling firewall on performance?
Luigi Rizzo
rizzo at iet.unipi.it
Wed Sep 18 09:18:41 UTC 2013
On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
> On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote:
> > Hi all,
> >
> > I've heard that disabling firewall with commands or setting related
> sysctl
> > parameter wouldn't increase performance and still firewalls participate
> in
> > forwarding process. The only way to reach a better performance is making
> > firewall modules to being loaded dynamically and thereafter unloading
> > firewall modules!
>
> Where exactly did you hear that?
>
> > I want to know is it right? and if so, why it should be like this?
>
> The difference between not invoking a firewall at all and invoking one
> with a single 'pass all' rule would be fairly difficult to measure per
> packet. If your firewall is a bottleneck you likely have larger issues.
>
well...
unloading or disabling the firewall with a sysctl is likely
exactly the same in terms of performance -- it's just
something like
if (firewall_loaded || firewall_enabled) {
invoke_firewall(...);
}
However, executing the firewall with a single pass rule consumes
some significant amount of time, see
http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf
(those numbers are from 2009 and i measured about 400ns;
recent measurements with ipfw-over-netmap on a fast i7
give about 100ns per packet).
This is definitely measurable.
cheers
luigi
More information about the freebsd-net
mailing list