On Tue, 2012-07-24 at 13:23 -0700, Jesse Brandeburg wrote: > And to make e1000e more capable of processing packets you could > consider turning on RPS to allow more cpus to process packets from the > single interrupt that e1000e uses. > ... > Yes, NAPI is actually making your system continue to run in the face of > a DoS attack. RPS will allow more CPUs to work on your receive > traffic, which will allow more scaling. > > see > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/main-network.html#s-network-future > > for a nice description of RPS and how to enable it. suggest an rps_cpus > value of 0xff to begin. You may also want to consider enabling RFS > while you're there, but start with RPS for simplicity.
Unfortunately, current linux network stack behaves not well if SYN packets are distributed to all cpus, because they all contend on listener socket lock. RPS would be good, but to resist to SYN attacks its better to tweak it so that all SYN packets are sent to a single CPU. Its a single line change in net/core/flow_dissector.c (or a hardware filter on ixgbe, not sure if it doable on igb ?) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
