On 6/15/12 10:52 AM, Mark Linimon wrote:
> On Fri, Jun 15, 2012 at 10:16:30AM +0200, Damien Fleuriot wrote:
>> I'm thinking we might jump straight from 8.x to 10 when the time comes,
>> I'm really looking forward to Gleb's work on CARP and PF ;)
>
> I don't know why you might think one .0 release would be more mature
> than another .0 release. Maybe I'm misunderstanding.
>
10.0 hasn't scared the hell out of me, yet, on the ml... :p
>> There are not many boxes I could try 9.0 on, because they're in
>> production with pfsync to conserve client sessions and I'm loath to
>> take risks with most of our firewalls.
>
> This is where having one or more systems for development is key.
>
My problem here is that the dev and preprod platforms are actively used
by our devs, which means that it costs us money if we have an outage.
I suppose I could try upgrading the backup box to 9.0 then swapping over
to it.
My main problem here is that we've got many machines to administer, on
top of the network and security, and there's just me and myself that
touch the firewalls.
It always comes down to time being short...
> Installations like yours are in a far better situation to test FreeBSD under
> realistic loads than are all but a few of the FreeBSD developers. I would
> urge testing long before the leadup to a .0 release, not afterwards.
>
I guess it couldn't hurt overmuch for me to test 9.0 on one of our
projects, I could update 1 of the 4 boxes to 9.0 and make it carp master.
If that goes well, 1-2 weeks later I could push 9.0 on another project
which uses 4 *active* firewalls.
This is a medium packet-rate [2][3] real life [1] project and could
yield interesting results for you guys.
@gleb
Are there any counter indications against running 8-STABLE and 9-STABLE
sets of firewalls with CARP and pfsync ?
[1]
Firewalls share 8 CARP IPs and are each master on 2 at a given time.
Firewalls use VLAN tagging over a link aggregation interface.
Firewalls use relayd to dynamically rdr packets to backend servers.
[2]
IRQs on broadcom NIC:
# vmstat -i
interrupt total rate
irq9: acpi0 22 0
irq20: uhci3 20 0
irq21: uhci2 uhci4+ 25 0
cpu0: timer 2089687121 2000
irq256: bce0 33684311 32
irq257: bce1 8636578820 8266
[3]
PF output:
Status: Enabled for 12 days 02:10:48 Debug: Urgent
Interface Stats for vlan20 IPv4 IPv6
Bytes In 522596420435 0
Bytes Out 5536513003172 0
Packets In
Passed 4893000575 0
Blocked 144967803 0
Packets Out
Passed 6005257543 0
Blocked 478378 0
State Table Total Rate
current entries 16556
searches 22646986476 21679.1/s
inserts 1368370473 1309.9/s
removals 1368353917 1309.9/s
Counters
match 1650605688 1580.1/s
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
