PF in FreeBSD 5.3 versus 6.x
Michael Conlen
m at obmail.net
Tue Oct 9 12:47:25 PDT 2007
I've noticed at some point between 5.3 and 6.0 that PF seems to be
dropping more packets than with 5.3 and there is increased deviation
in latency. Using the same equipment handling about 25k PPS each way
I see about 0.3% packet loss with FreeBSD 6.2 and 6.0 with sub 0.1%
loss with FreeBSD 5.3. Similarly the worst case response times for
ICMP packets is much less in 5.3 than in either version of 6.
I'm using something pretty vanilla in terms of setup. No ALTQ support
or features, no redirects, just a lot of blocking and allowing. The
firewalls are using server class 3Com and Intel Gigabit (Fiber)
cards. The changes were noticed going forward and undone by going
back to FreeBSD 5.3 so I don't suspect physical problems at the moment.
My pf.conf is essentially a block in all followed by a block in quick
against a table with 2000 entries, many of the /24 or /16 followed by
pass rules to the various host:ports we allow.
If I login to the firewalls themselves and run mtr in each direction
I don't see any traffic loss. It's only when crossing the firewalls.
Usage is about 25k packets per second and 100Mbit/sec 5 minute max
traffic. The switches are Foundry SI-800g.
Also doing about 25k/sec searches with 400 inserts a second and 270
removals and 407 matches/sec. The state table seems to run about
70,000 to 90,000
Are there issues I should be aware of and should pf be able to handle
this kind of load?
--
Michael Conlen
More information about the freebsd-pf
mailing list