PF makes em0 taskq to eat 100% CPU
Stefan Lambrev
stefan.lambrev at moneybookers.com
Thu Jan 24 09:37:29 PST 2008
Abdullah Ibn Hamad Al-Marri wrote:
> ----- Original Message ----
>
>> From: Stefan Lambrev <stefan.lambrev at moneybookers.com>
>> To: freebsd-pf at freebsd.org
>> Sent: Thursday, January 24, 2008 6:39:41 PM
>> Subject: PF makes em0 taskq to eat 100% CPU
>>
>> Hello,
>>
>> I'm doing some tests and benchmarks and I'm testing pf on
>> bridge
>>
>>
> firewall.
>
>> One of the specific tests is how PF will handle SYN flood from random
>> source addresses.
>> While the bridge is w/o activated PF, I see 12-14MB/s traffic.
>> When I enable the PF the traffic drops to 2-5MB/s and I'm starting to
>> see lost packets.
>>
>> Here is what top -S shows when PF is not active:
>> 25 root 1 -68 - 0K 16K - 1 34:45 26.37% em0
>> taskq - only 26% CPU used
>>
>> but when I enable PF it (em0 taskq) goes up to 100% and packets
>> are
>>
>>
> lost.
>
>> Here is the pf.conf used for tests:
>>
>> #macros
>> ext_if="em0"
>> int_if="em1"
>> br_if="bridge0"
>>
>> www="10.3.3.1"
>>
>> #sets
>> set skip on lo0
>> set skip on $int_if
>> set skip on $br_if
>> set limit states 20000000
>> set limit src-nodes 15000
>> set optimization aggressive
>>
>> table persist file "/etc/abusive_hosts"
>>
>> block log quick from to any
>> block log quick from any to
>>
>> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 }
>> flags S/SA keep state \
>> (source-track rule, max-src-conn-rate 150/10, max-src-states 250,
>> overload flush global)
>>
>> The number of states that I reach is little more then 2,000,000.
>> (20,000,000 is the limit that I enforce)
>> FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule
>>
>> Please advise.
>>
>> --
>>
>> Best Wishes,
>> Stefan Lambrev
>> ICQ# 24134177
>>
>>
>
> Hello Stefan,
>
> What version of FreeBSD do you use and what arch? what is your CPU spec and what ram?
>
FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R)
X3220 2.4 GHz - quad core, 2GB RAM
I increased kern.ipc.nmbclusters=262144
I find device polling quite helpful here - at least the CPUs are idle.
>
>
> Regards,
> -Abdullah Ibn Hamad Al-Marri
> Arab Portal
> http://www.WeArab.Net/
>
>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
--
Best Wishes,
Stefan Lambrev
ICQ# 24134177
More information about the freebsd-pf
mailing list