On Fri, 10 Jul 2020 18:21:11 +0200 Olivier Cochard-Labbé <oliv...@freebsd.org> wrote:
Hi Olivier, > > That is mostly for the record but it looks like the intel X520 is > > not very good and generates a high level of interrupts. > > > > On a router / firewall with 500 Kpps in input (dropped by pf) is > > enough to put the CPUs at > > 100% busy. > > yes 500 Kpps is quite low: Do you have a very complex long pf rule > set? Around 1450 rules in all but only 760 for ix0 in input (quick rules only). PF ruleset-optimization is set to 'basic' (the default) It's hard to see if PF is the bottleneck but we graph all PF statistics each 10 seconds (pfctl -vsi). input 500 Kpps, traffic dropped 200 Kpps, pfctl matches rules (counter match) is high with around 270 K matches/s (normally is around 12 K matches/s), pfctl states searches around 300 K/s (normally 200 K/s) So there is a large number of ruleset evaluations (time costly). PF congestion counter is always = 0, I'm not sure if this counter works on FreeBSD - I'm sure it works on OpenBSD :) On FreeBSD does PF congestion increase if PF is not able to handle the load? (On OpenBSD when congestion occurs, PF stops to evaluate the ruleset for a litle time and only evaluates states matches). Thanks, I guess I have to find a packets generator to make tests. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
