On Mon, Dec 8, 2014 at 4:27 PM, Maxim Khitrov <m...@mxcrypt.com> wrote:
> On Sun, Dec 7, 2014 at 9:22 PM, Jim Thompson <j...@netgate.com> wrote: > > OpenBSD may eventually grow proper multicore support, but that is of > little concern to the FreeBSD project. It took FreeBSD years to get > proper multicore support, and I doubt > > OpenBSD gets there any faster. Nor have they started. This is bad news > for OpenBSD, because the world is now multicore, 1Gbps are common (I have > one to my house) and 10Gbps connections are increasingly common. > OpenBSD's "pf" doesn't even handle 1Gbps unless > > How many of your 1 Gbps links are handling 1.488 Mpps? I wasn't very > interested in that use case when I did my testing, so for me, OpenBSD > 5.3 handled 4.2 Gbps (MTU 1500) with Intel X540 NIC and Xeon > E3-1275v2. If I did the math right, that's ~0.35 Mpps: > > http://marc.info/?l=openbsd-misc&m=137600809910496&w=2 > > If your firewall's using Gbps link you should take care of supporting the maximum Gigabit Ethernet throughput of 1.488Mpps: It's too easy to DOS any kind of OpenBSD firewall with a simple user-land tool like src/tools/tools/netrate/netblast. You only need to generate about 700Kpps for an OpenBSD 5.4 (I didn't test more recent release). But the performance of a firewall isn't limited to the "forwarding performance" (and the unit is a throughput in Packet-per-second, not a bandwidth): There are lot's more parameters to take care of (cf RFC 3511 " Benchmarking Methodology for Firewall Performance"). Regards, Olivier _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
