PF makes em0 taskq to eat 100% CPU

Thu Jan 24 08:53:59 PST 2008

----- Original Message ----
> From: Stefan Lambrev <stefan.lambrev at moneybookers.com>
> To: freebsd-pf at freebsd.org
> Sent: Thursday, January 24, 2008 6:39:41 PM
> Subject: PF makes em0 taskq to eat 100% CPU
> 
> Hello,
> 
> I'm doing some tests and benchmarks and I'm testing pf on
> bridge
> 
 firewall.
> One of the specific tests is how PF will handle SYN flood from random 
> source addresses.
> While the bridge is w/o activated PF, I see 12-14MB/s traffic.
> When I enable the PF the traffic drops to 2-5MB/s and I'm starting to 
> see lost packets.
> 
> Here is what top -S shows when PF is not active:
>    25 root        1 -68    -     0K    16K -      1  34:45 26.37% em0 
> taskq - only 26% CPU used
> 
> but when I enable PF it (em0 taskq) goes up to 100% and packets
> are
> 
 lost.
> 
> Here is the pf.conf used for tests:
> 
> #macros
> ext_if="em0"
> int_if="em1"
> br_if="bridge0"
> 
> www="10.3.3.1"
> 
> #sets
> set skip on lo0
> set skip on $int_if
> set skip on $br_if
> set limit states 20000000
> set limit src-nodes 15000
> set optimization aggressive
> 
> table  persist file "/etc/abusive_hosts"
> 
> block log quick from  to any
> block log quick from any to 
> 
> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 } 
> flags S/SA keep state \
> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, 
> overload  flush global)
> 
> The number of states that I reach is little more then 2,000,000. 
> (20,000,000 is the limit that I enforce)
> FreeBSD 7.0-RC1-  Thu Jan 24 - amd64 - sched_ule
> 
> Please advise.
> 
> -- 
> 
> Best Wishes,
> Stefan Lambrev
> ICQ# 24134177
> 

Hello Stefan,

What version of FreeBSD do you use and what arch? what is your CPU spec and what ram?

Regards, 
-Abdullah Ibn Hamad Al-Marri
Arab Portal
http://www.WeArab.Net/

      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs