Andrew I tested pfil that was compiled without PPFILDEBUG flag set. Now network speed performance is same as without pfil loaded.
Thanks for the tip ! Rhetorical question : wouldn't it be reasonable to include this in README or ensure, that DEBUG for pfil is not enabled by default ? With best regards Martynas -----Original Message----- From: Andrew Wenlang Zhu [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 10:29 PM To: Buozis, Martynas Cc: [email protected] Subject: RE: pfil and network performance Martynas, PPFILDEBUG enables Pfil to track packet flow, but I agree it should be cleaned at release version. The Pfil driver itself is quite light weighted, and most of overheads comes from ipf module. The degree of impact depends on number of rules, rule type, and whether you use NAT, etc. Andrew On Tue, 2007-02-13 at 21:13 +0100, Buozis, Martynas wrote: > Andrew > > Yes, I compiled by myself using default Make file. Now I see, that > PFILDEBUG was defined in there and recompiled pfil, but will test it > tomorrow. > > Are there any other concerns about performance issues ? Why DEBUG is > defined by default and no info in README file about this ? > > Thank you for your advice. > > > With best regards > Martynas > > -----Original Message----- > From: Andrew Wenlang Zhu [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 13, 2007 7:28 PM > To: Buozis, Martynas > Cc: [email protected] > Subject: Re: pfil and network performance > > > Do you compile IPFilter by yourself ? > > In many version of IPfilter source code, the Pfil Makefile set the debug > flag on by default. > > You may check Pfil Makefile in your code to make sure PFILDEBUG is not > set. E.g > > PFILDEBUG= > > It highly impacts network performance with this flag on. > > > Andrew > > > On Tue, 2007-02-13 at 16:08 +0100, Buozis, Martynas wrote: > > Hello > > > > I am running IPFilter installation on Solaris 8 (Generic_117350-41). > > PFIL version is 2.1.11,REV=10:54:27 11/16/06. > > > > We noticed, that PFIL is causing big impact to network performance > even > > when IPFilter is stopped (just PFIL is loaded) and no rules are > present. > > 2GB file copy from NFS server took 35 minutes with PFIL loaded, while > > without PFIL only 3 minutes were required to copy same file. > > > > Can somebody advice were problem is with PFIL ? > > > > > > With best regards > > Martynas > > > > > > >
