Henning Brauer [lists-open...@bsws.de] wrote: > * Chris Cappuccio <ch...@nmedia.net> [2014-06-21 20:05]: > > Right now all routers and firewalls should > > be on SP kernels or you will actually have worse performance. > > This is not true any more and hasn't been for some time. > > It is, however, true that the extra cores buy you little to nothing > for the kernel side, i. e. a pure packet forwarding firewall (no > proxies) or a static-routing router won't really benefit.
I have a sandy bridge Xeon box with PF NAT that handles a daily 200 to 700Mbps. It has a single myx interface using OpenBSD 5.5 (not current). It does nothing but PF NAT and related routing. No barage of vlans or interfaces. No dynamic routing. Nothing else. 60,000 to 100,000 states. With an MP kernel, kern.netlivelocks increases by something like 150,000 per day!! I The packet loss was notable. With an SP kernel, the 'netlivelock' counter barely moves. Maybe 100 per day on average, but for the past week, maybe 5. I don't know if there is a significant reduction in throughput in either case, I haven't actually tested it. I can't imagine this situation makes MP preferable unless you have low throughput and lots of userland activity... If you don't see netlivelocks going up on your MP routers, I'm going to cry. Maybe my PF configs are too complicated. I'm using tables with ten, twenty or thirty /32s in each table, called by five or six rules, maybe those radix lookups are expensive.
