Hi Stefan, I suggest you cvs the source to branch RELENG_7 and rebuild world kernel. (Rebuilding kernel helps a little but still have performance hits.) I had major performance issues with RC1 on my P3 box (128 RAM) with load hitting 6+ in top. Now the load averages at 0.15.
Regards, Tommy --- Stefan Lambrev <[EMAIL PROTECTED]> wrote: > > > Abdullah Ibn Hamad Al-Marri wrote: > > ----- Original Message ---- > > > >> From: Stefan Lambrev <[EMAIL PROTECTED]> > >> To: [email protected] > >> Sent: Thursday, January 24, 2008 6:39:41 PM > >> Subject: PF makes em0 taskq to eat 100% CPU > >> > >> Hello, > >> > >> I'm doing some tests and benchmarks and I'm testing pf on > >> bridge > >> > >> > > firewall. > > > >> One of the specific tests is how PF will handle SYN flood from > random > >> source addresses. > >> While the bridge is w/o activated PF, I see 12-14MB/s traffic. > >> When I enable the PF the traffic drops to 2-5MB/s and I'm starting > to > >> see lost packets. > >> > >> Here is what top -S shows when PF is not active: > >> 25 root 1 -68 - 0K 16K - 1 34:45 26.37% > em0 > >> taskq - only 26% CPU used > >> > >> but when I enable PF it (em0 taskq) goes up to 100% and packets > >> are > >> > >> > > lost. > > > >> Here is the pf.conf used for tests: > >> > >> #macros > >> ext_if="em0" > >> int_if="em1" > >> br_if="bridge0" > >> > >> www="10.3.3.1" > >> > >> #sets > >> set skip on lo0 > >> set skip on $int_if > >> set skip on $br_if > >> set limit states 20000000 > >> set limit src-nodes 15000 > >> set optimization aggressive > >> > >> table persist file "/etc/abusive_hosts" > >> > >> block log quick from to any > >> block log quick from any to > >> > >> pass in quick on $ext_if proto tcp from any to $www port { 80, 443 > } > >> flags S/SA keep state \ > >> (source-track rule, max-src-conn-rate 150/10, max-src-states 250, > >> overload flush global) > >> > >> The number of states that I reach is little more then 2,000,000. > >> (20,000,000 is the limit that I enforce) > >> FreeBSD 7.0-RC1- Thu Jan 24 - amd64 - sched_ule > >> > >> Please advise. > >> > >> -- > >> > >> Best Wishes, > >> Stefan Lambrev > >> ICQ# 24134177 > >> > >> > > > > Hello Stefan, > > > > What version of FreeBSD do you use and what arch? what is your CPU > spec and what ram? > > > > FreeBSD 7.0-RC1 - Thu Jan 24 - amd64 - sched_ule, My CPU is Xeon(R) > X3220 2.4 GHz - quad core, 2GB RAM > I increased kern.ipc.nmbclusters=262144 > I find device polling quite helpful here - at least the CPUs are > idle. > > > > > > Regards, > > -Abdullah Ibn Hamad Al-Marri > > Arab Portal > > http://www.WeArab.Net/ > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > -- > > Best Wishes, > Stefan Lambrev > ICQ# 24134177 > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
