Max Laier wrote:
On Wednesday 25 March 2009 00:13:55 Deomid Ryabkov wrote:i have a machine with nc running through it. with pf disabled, i see 960-970 mbit/s through it (as reported by systat -ifstat). just having pf enabled, with empty ruleset:# pfctl -vs nat # pfctl -vs rules # reduces throughput to about 700 mbit. this seems wrong. any ideas why this might be happening?You have to search the (empty) ruleset for the (implicit) default "pass all" rule. This is somewhat expensive. Then there is the pf mutex (quite expensive) and the pfil rm_lock (not so much). In addition the pf mutex is a single, global lock and thus reduces the opportunity for parallelism.
thanks for explanation, Max.further data point: ruleset with 8 nat rules that never match (but have to be checked) chops off further ~50 mbit. that i'm less worried about, but the initial hit for just enabling filtering does worry me quite a bit.
is there anything to be done about that? is anything being done? or planned?[hardware is 2 x Xeon E5410 (2.3 GHz), network interfaces are Intel PRO/1000 PT]
OS: 8.0-CURRENT #0: Fri Feb 27 04:20:49 MSK 2009 thanks.
-- Deomid Ryabkov aka Rojer [email protected] [email protected] ICQ: 8025844
smime.p7s
Description: S/MIME Cryptographic Signature
