Re: firewall is very slow, something's wrong

Mon, 08 Oct 2007 10:52:50 -0700 

Stuart Henderson wrote:

On 2007/10/04 17:48, Florin Andrei wrote:
All firewall rules are written as stateless as possible - I don't need stateful filtering, the setup is very simple (allow HTTP inbound, allow a few ICMP types, and that's it). 
  congestion                        116169          197.2/s


Try setting net.inet.ip.ifq.maxlen to 256 (sysctl/sysctl.conf),
if you still see the congestion count increasing then search for
net.inet.ip.ifq.maxlen in the list archives and have a read.



I raised maxlen to 300. I also enabled ACPI. It's still slow. The 
congestion counter is still not zero - currently at 386.5/s
One good thing is that there used to be a big pause when the kernel was 
booting up, probably waiting for some device or something - now with 
ACPI the pause is smaller. It's still waiting for something, just not as 
much.



I am watching the system with top, set to update every 1s, and I noticed 
there are a lot of interrupt load bursts on CPU0. The percentage of 
interrupt load is very uneven, sometimes as low as 15%, sometimes as 
high as 75%.
I unleashed the UDP flood and the firewall is totally frozen - can't do 
anything even on the local keyboard. Not even the display (running top) 
gets updated anymore. The machine is frozen solid. All network traffic 
stops immediately.

Kill the UDP flood and OpenBSD resumes normal operations.

I tried the uniprocessor kernel and it's exactly the same.

Comparison with Linux on the exact same hardware:

HTTP download speed through the firewall is 112 Mbyte / sec (saturating 
the GigE ports) and the interrupt load is relatively low and constant - 
about 30%.
Under UDP flood with Linux as a firewall, the current download finishes 
up, but a new one cannot get started. The system is not frozen at all, 
it's quite usable, in fact I can heavily overload it (running a bunch of 
CPU hogs) to the point where userspace becomes sluggish and load average 
is up to 250 or so, yet the firewall is not influenced at all.



So what's the deal here? The heavy interrupt load percentage seems to 
indicate an issue with the network driver if I'm not mistaken. But these 
are good and quite popular network cards - Intel Pro/1000 PCI Express 4x 
dual-port gigabit, seen by kernel as em0 and em1


--
Florin Andrei

http://florin.myip.org/























					Reply via email to