Jeff, On Solaris, Pfil module is loaded as a stream module, the same on HP-UX too, so every network packet pass in and out will go through the module no matter a rule is configured or not, and it slow down the traffic a little bit or use a slightly more CPU.
I did a test on HP-UX, loading the module along without rule will cost 1% to 2% more CPU consumption under heavy traffic.( without PFILDEBUG flag in Makefile) I did not use Sun-shipped ipfiler but compiled the source code to run it on Solaris 10. Andrew On Fri, 2006-10-06 at 14:31 -0400, Jeff A. Earickson wrote: > Andrew, > > Thanks, I'll experiment with this. I wonder if this is also true for > the Solaris 10 release version of pfil as well. Despite the fact that > I'm the guy who wrote the "how-to upgrade ipfilter for Solaris 10", > > http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade > > I am starting to move away from doing this. Any machine that I have > cold-installed with Solaris 10 6/06 I left alone, and I use the Sun-shipped > version of ipfilter/pfil on those machines. > > Unfortunately, both of my backup servers have pfil 2.1.10 and ipfilter > 4.1.13 installed. Even if I have done "svcadm -v disable" on pfil and > ipfilter, I still see the modules loaded via modload. I'll guess that > if the kernel module is loaded, is it still slowing me down? > > Jeff Earickson > Colby College > > On Fri, 6 Oct 2006, Andrew Wenlang Zhu wrote: > > > Date: Fri, 06 Oct 2006 11:09:48 -0700 > > From: Andrew Wenlang Zhu <[EMAIL PROTECTED]> > > To: Jeff A. Earickson <[EMAIL PROTECTED]> > > Cc: [email protected] > > Subject: Re: ipfilter and backup software? > > > > Jeff, > > > > Whenever the PFILDEBUG is set in Make file, Pfil will include > > pfil_printmchain( ) in the data path, and the damage is done. This is a > > time consuming function. You did not see log messages because the value > > of "external int pfildebug" > > > > Read the code in pfilstream.c you will get a better idea. > > > > I do not know what OS you are running, but you may find some tools to > > identify what function the system spends most time on. > > > > Andrew > > > > > > On Fri, 2006-10-06 at 08:47 -0400, Jeff A. Earickson wrote: > >> Andrew, > >> > >> Thanks for the tip. In my case, I've got pfil 2.1.10, and I too found > >> the PFILDEBUG flag in the Makefiles. However, I see zilch in my syslogs > >> from pfil, and I'm logging at "*.info" facility in /etc/syslog.conf. > >> > >> Darren, > >> > >> Any comments here? Is the PFILDEBUG thing in the Makefile a "bug"? > >> > >> Jeff Earickson > >> Colby College > >> > >> On Thu, 5 Oct 2006, Andrew Wenlang Zhu wrote: > >> > >>> Date: Thu, 05 Oct 2006 11:17:42 -0700 > >>> From: Andrew Wenlang Zhu <[EMAIL PROTECTED]> > >>> To: Jeff A. Earickson <[EMAIL PROTECTED]> > >>> Cc: [email protected] > >>> Subject: Re: ipfilter and backup software? > >>> > >>> Jeff, > >>> > >>> Did you look at the syslog? If you find a lot of ipfilter related log, > >>> pfil could be the culprit. > >>> > >>> I downloaded pfil 2.1.11 to use with ipf 4.1.13, and encountered > >>> performance problem similar to yours. Later I found the Makefile came > >>> with pfil set the DEBUG flag by default, which caused overwhelming log > >>> messages under heavy traffic. > >>> > >>> PFILDEBUG=-DPFILDEBUG > >>> > >>> You can try to remove -DPFILDEBUG and recompile and reload pfil driver. > >>> > >>> Andrew > >>> > >>> > >>> On Thu, 2006-10-05 at 09:12 -0400, Jeff A. Earickson wrote: > >>>> Hi, > >>>> > >>>> Does anybody else run ipfilter on a system that does network > >>>> based backups, like Netbackup or Legato? Have you ever tested > >>>> your backup performance with and without ipfilter? > >>>> > >>>> We run Netbackup 6.0 MP3 on two systems (with two robots), a > >>>> V490 (4 cpus) with an ADIC i2000, and a V210 (2 cpus) with an > >>>> ADIC i500. Both robots are hooked to their hosts via fibre. > >>>> Both hosts run Solaris 10 with ipf 4.1.13. > >>>> > >>>> I've noticed that shutting off ipfilter on the host makes a big > >>>> difference (30% or more) in terms of robot thruput, as measured > >>>> by iostat and Netbackup statistics. As a result, I have to > >>>> keep ipfilter disabled on these two hosts. > >>>> > >>>> Anybody else seen this? > >>>> > >>>> Jeff Earickson > >>>> Colby College > >>> > >
