On Tue, Oct 09, 2007 at 08:03:18PM +0200, Henning Brauer wrote: > * Florin Andrei <[EMAIL PROTECTED]> [2007-10-09 19:34]: > >> then, an i386 kernel should perform considerably better than amd64 for > >> firewalling/routing/... > > > > That is surprising. What is the reason? > > we dunno really. it hasn't been benched in sometimesoit might not even > be true nay more, but last time the difference was dramatic. > > > How much RAM can the i386 kernel use on an amd64 machine? > > 4GB minus pci space > > >> next, you don't want SMP for such tasks. take out the second CPU and give > >> it to somebody who can use it, and run the uniprocessor kernel. > > So, assuming the box is a pure firewall / static router (so just pf and > > static routes), even with multiple interfaces, all those tasks run in a > > single kernel thread? > > yup >
Why is this? Is there a security reason why the kernel is single-thread; is it OBSD resource limitations (no developer time, no hardware, etc); is it not enough interest yet? With interface speeds and bus bandwidth going up, how many interfaces is it possible to handle at full interface bandwidth on the fastest UP CPU and how much memory does that take? If you need more performance, do you build multiple boxes and CARP them? Virtualization to run multiple OBSDs, each on its own core (ignoring security issues of virtualization; crack one client is no worse than having a single OBSD running all interfaces getting cracked). Or do you start assembling a big box with muliple MBs each with a UP hooked up to a pair of drives, all co-located in one box with dual/triple/quad redudant PSUs? Not that I'm personally in need of the technology; I'm the one trying to keep a 486 patched on dialup. I'm just interested. Doug.
