impact of disabling firewall on performance?
Ian Smith
smithi at nimnet.asn.au
Wed Sep 18 14:19:39 UTC 2013
On Wed, 18 Sep 2013 11:18:38 +0200, Luigi Rizzo wrote:
> On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
>
> > On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote:
> > > Hi all,
> > >
> > > I've heard that disabling firewall with commands or setting related
> > sysctl
> > > parameter wouldn't increase performance and still firewalls participate
> > in
> > > forwarding process. The only way to reach a better performance is making
> > > firewall modules to being loaded dynamically and thereafter unloading
> > > firewall modules!
> >
> > Where exactly did you hear that?
> >
> > > I want to know is it right? and if so, why it should be like this?
> >
> > The difference between not invoking a firewall at all and invoking one
> > with a single 'pass all' rule would be fairly difficult to measure per
> > packet. If your firewall is a bottleneck you likely have larger issues.
> >
>
> well...
:-) I almost added "though Luigi will have measured it to the ns/MHz"
> unloading or disabling the firewall with a sysctl is likely
> exactly the same in terms of performance -- it's just
> something like
>
> if (firewall_loaded || firewall_enabled) {
> invoke_firewall(...);
> }
Not && ?
Either way, unloading the module/s couldn't gain any performance.
> However, executing the firewall with a single pass rule consumes
> some significant amount of time, see
> http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf
> (those numbers are from 2009 and i measured about 400ns;
> recent measurements with ipfw-over-netmap on a fast i7
> give about 100ns per packet).
>
> This is definitely measurable.
Thanks for the spanking, and a second browsing of Dummynet Revisited.
cheers, Ian
More information about the freebsd-net
mailing list