Ian Donaldson wrote:
> I have a pair of Sun Fire X2100M2's connected via 100M eth switches
> (yeah, crippling gig-E) and running pfil 2.1.11, ip_fil4.1.16 and
> was noticing significant TCP throughput performance differences
> for traffic between various ethernet interfaces on the two systems.
>
> (both systems running Solaris 10/x86 6/06 with 26 Feb recommmended
> patch cluster, NVIDIA add-on driver patch 122530-02 for nge)
>
> eg: system1 bge0 -> system2 bge0 1700KB/s
> system1 bge1 -> system2 bge1 11000KB/s
> system1 nge1 -> system2 nge1 11000KB/s
>
> With top I noticed a significant portion of system time being consumed
> in the bge0 test (like 50%).
>
> Using
>
> lockstat -kIi997 sleep 10
>
> it seems this was due to the unconditional sprintf inside pfil_printmchain()
> that formats every packet's data as hex and then throws it all away.
> (I have PFILDEBUG enabled, but pfildebug=0 as they are by default)
>
>
> It seems to me that there should be an extra test in pfil_printmchain()
> for pfildebug, and if its zero (or maybe less than 50), just return,
> to save the time waste.
Yup, see the attached patch.
> What is curious though is that this problem only manifests itself
> on one of the 3 interfaces I have enabled in the system, suggesting
> something else is broken, as I would have though that all interface
> traffic would pass thru the same code.
> (yes I've verified pfil module is pushed on all interfaces)
>
> It doesn't manifest itself on another X2100M2 system that only has
> bge0 enabled but.
>
Are you saying that where bge1 is used but not bge0, the problem doesn't
arise?
That would be strange! if it happened when either bge0 or bge1 was
being used,
I could understand that...kinda...it'll be because the bge driver is
communicating
with IP "differently" because pfil is there in between.
> Not sure if pfil2.1.12 fixes this but:
>
> http://coombs.anu.edu.au/~avalon/ipf-mentat.html
>
> isn't reachable right now (some problem at ANU it seems).
>
This happens from time to time in order for maintenaince to be carried out.
> I also saw another posting on this list a while back about this issue,
> and PFILDEBUG enabled ...
>
> Subject: Re: ipfilter and backup software?
> From: Andrew Wenlang Zhu <[EMAIL PROTECTED]>
> Date: Fri, 06 Oct 2006 11:09:48 -0700 (Sat 04:09 EST)
>
> seems it hasn't been fixed yet.
>
Yeah yeah, Rome wasn't built in a day.
Darren
Index: pfilstream.c
===================================================================
RCS file: /devel/CVS/pfil/pfilstream.c,v
retrieving revision 1.63
diff -c -r1.63 pfilstream.c
*** pfilstream.c 31 Mar 2006 06:57:19 -0000 1.63
--- pfilstream.c 2 Mar 2007 23:50:26 -0000
***************
*** 91,96 ****
--- 91,99 ----
mblk_t *mc;
int i;
+ if (pfildebug < 50)
+ return;
+
for (mc = mp; mc; mc = mc->b_cont) {
i = mc->b_wptr - mc->b_rptr;
/*LINTED: E_CONSTANT_CONDITION*/
