Thx for the reply. Well I've already increased the state table size to
150000 entries, 10000 was not enough (there was up to 70000
simultaneous state entries during the test). Hardware wise, I'm using
a xeon 2.4 GHz monocore with 1 GB of RAM. Since this server is used as
firewall only, I've raised the kernel space memory to up to 90% of
total memory. I don't want to make hasty conclusion, so I'll keep
searching..
Ryan McBride <mcbr...@openbsd.org> a C)critB :
There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install, which is what 99% of users are going to be doing as well.
You can try looking at the output of 'pfctl -si' and see if any of those
is increasing a lot, it may give you some more hints. The only thing
that jumps to mind is the states limit; if it's getting hit you'll see
the memory counter increase. I can't make any suggestion for a good
value for 'set limit states' though because you included zero
information about the hardware you're testing on.
On Tue, Aug 16, 2011 at 02:12:01PM -0400, Quentin Aebischer wrote:
Hello everyone,
I'm currently a master degree student, and I'd like to benchmark
packet filter over the number of tcp sessions per seconds it can
handle.
So I've got a very basic setup working, consisting of one server
running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's
running Linux, acting respectively as client and webserver (running
apache2 for the last).
Basically, the client spams standard HTTP requests to the server via
the firewall using a basic HTTP injector tool and evaluates the
number of sucessful processed requests per seconds.
As one can expect, there is an inverse relationship between the
number of sessions/s a firewall can sustain and the size of the
object of the request. To achieve maximum throughput, you've got to
request big size objects (i.e 50KB or more), whereas to achieve
maximum sessions rate per second, you've got to make requests with 0
size objects.
Prior to this, I've run some tests with a Linux firewall running
iptables, and I've come up with an average rate of 11300 sessions/s
for 0 size objects (straight up results, no tweaks or improvements
made).
Moving on to the OpenBSD tests, I only achieved an average rate of
7000 sessions/s for 0 size object (starting up at 8000, slowly
decreasing to 7000 - 6500 ...), which is way above the
linux/iptables average rate . I then tried to make some tweaks in
/etc/sysctl.conf, but no improvement so far. The ruleset I use is
the following (copied from the OpenBSD pf tutorial) :
set block-policy drop
pass out quick
pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
pass in inet proto icmp all
pass in on $LAN.
So I come here now to know whether you guys have any idea what sort
of tweaks I could try to significantly enhance the number of tcp
sessions per seconds processed by PF. I'm kind of a PF newbie, so
I'm clueless for the moment . Any hints, thoughts or ideas is
appreciated !
--
