Andrew,
Thanks, I'll experiment with this. I wonder if this is also true for
the Solaris 10 release version of pfil as well. Despite the fact that
I'm the guy who wrote the "how-to upgrade ipfilter for Solaris 10",
http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade
I am starting to move away from doing this. Any machine that I have
cold-installed with Solaris 10 6/06 I left alone, and I use the Sun-shipped
version of ipfilter/pfil on those machines.
Unfortunately, both of my backup servers have pfil 2.1.10 and ipfilter
4.1.13 installed. Even if I have done "svcadm -v disable" on pfil and
ipfilter, I still see the modules loaded via modload. I'll guess that
if the kernel module is loaded, is it still slowing me down?
Jeff Earickson
Colby College
On Fri, 6 Oct 2006, Andrew Wenlang Zhu wrote:
Date: Fri, 06 Oct 2006 11:09:48 -0700
From: Andrew Wenlang Zhu <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: ipfilter and backup software?
Jeff,
Whenever the PFILDEBUG is set in Make file, Pfil will include
pfil_printmchain( ) in the data path, and the damage is done. This is a
time consuming function. You did not see log messages because the value
of "external int pfildebug"
Read the code in pfilstream.c you will get a better idea.
I do not know what OS you are running, but you may find some tools to
identify what function the system spends most time on.
Andrew
On Fri, 2006-10-06 at 08:47 -0400, Jeff A. Earickson wrote:
Andrew,
Thanks for the tip. In my case, I've got pfil 2.1.10, and I too found
the PFILDEBUG flag in the Makefiles. However, I see zilch in my syslogs
from pfil, and I'm logging at "*.info" facility in /etc/syslog.conf.
Darren,
Any comments here? Is the PFILDEBUG thing in the Makefile a "bug"?
Jeff Earickson
Colby College
On Thu, 5 Oct 2006, Andrew Wenlang Zhu wrote:
Date: Thu, 05 Oct 2006 11:17:42 -0700
From: Andrew Wenlang Zhu <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: ipfilter and backup software?
Jeff,
Did you look at the syslog? If you find a lot of ipfilter related log,
pfil could be the culprit.
I downloaded pfil 2.1.11 to use with ipf 4.1.13, and encountered
performance problem similar to yours. Later I found the Makefile came
with pfil set the DEBUG flag by default, which caused overwhelming log
messages under heavy traffic.
PFILDEBUG=-DPFILDEBUG
You can try to remove -DPFILDEBUG and recompile and reload pfil driver.
Andrew
On Thu, 2006-10-05 at 09:12 -0400, Jeff A. Earickson wrote:
Hi,
Does anybody else run ipfilter on a system that does network
based backups, like Netbackup or Legato? Have you ever tested
your backup performance with and without ipfilter?
We run Netbackup 6.0 MP3 on two systems (with two robots), a
V490 (4 cpus) with an ADIC i2000, and a V210 (2 cpus) with an
ADIC i500. Both robots are hooked to their hosts via fibre.
Both hosts run Solaris 10 with ipf 4.1.13.
I've noticed that shutting off ipfilter on the host makes a big
difference (30% or more) in terms of robot thruput, as measured
by iostat and Netbackup statistics. As a result, I have to
keep ipfilter disabled on these two hosts.
Anybody else seen this?
Jeff Earickson
Colby College
