Henning Brauer wrote:
First, you want to run 4.2 or -current, that shoudl about double your
throughput.
Yes, I was looking at a paragraph in the 4.2 release notes and I thought
all those things might be related exactly to the problem I'm seeing:
##############
Huge performance improvements in the network stack, including:
* In pf, store routing table ID, queue ID etc directly in the
packet header mbuf instead of using mbuf tags (which use malloc'd
memory). This yields a 100% improvement in pf performance.
* Skip TCP/UDP/ICMP/ICMP6 checksumming when not necessary. This
yields a further 10% improvement in pf performance.
* A change in the way the kernel random pool is stirred greatly
increases performance with network interface cards that support
interrupt mitigation, especially on architectures where reading the
clock is expensive (such as amd64).
##############
I'll try 4.2.
then, an i386 kernel should perform considerably better than amd64 for
firewalling/routing/...
That is surprising. What is the reason?
How much RAM can the i386 kernel use on an amd64 machine?
next, you don't want SMP for such tasks. take out the second CPU and
give it to somebody who can use it, and run the uniprocessor kernel.
So, assuming the box is a pure firewall / static router (so just pf and
static routes), even with multiple interfaces, all those tasks run in a
single kernel thread?
Now here's the second thing: if this firewall needs to be integrated in
an environment with dynamic routing, it will need to run some kind of
dynamic routing daemon(s). For that, I'd like to have at least two cores
on the system, and a kernel that can take advantage of them.
If the SMP kernel does not actually hurt performance, I might have to
use it.
--
Florin Andrei
http://florin.myip.org/
