Hello
It would be nice if there was a knob to mark some rules "skip on high load" so
they would be skipped to avoid congestion.
If there was such a feature i could do extensive traffic scrubbing or some
kind of resource expensive traffic monitoring knowing that it would not
affect traffic troughput.
in example pf.conf all marked rules could be skipped especially rule
marked "Y" and "Xc" they make no sense except for monitoring.
Of course i have red other posts concerning pf performance and will try 4.2
very soon.
story
I was playing with one of my router and noticed congestion when i enabled some
rules to monitor traffic volume by destination/origin. Purpose was to see
volume of foreign and local contry traffic.
systat vmstat
gave me more then
10k Interrupts and ~30% CPU load
so i figured out that my pf rules is causing congestions
I suspected the rule marked with "Y" because table <mycountry> contains hole
country aggregated IP's list
After traffic was analyzed and done some improvements in BGP routing. The "Y"
rule was commented out.
The congestion appeared again. It was good and bad news, good because changes
in BGP configuration gave more traffic throughput, bad because pf rules could
not keep up with increased speed.
Had to take out rules marked with "Xa", "Xb2", "Xc"
narrow block rules "Xb" to specific external interfaces and specific ports
congestion almost lost.
It appeared few times in period for 2hours
Had to take out rule "X" and no more sign of congestion
pf.conf example
# Normalize Traffic
scrub in
X
scrub out on { $ext_if $int_if } all random-id Xa
# Block by default
block all
# Log & Return some info
block return-rst log proto tcp from any to self Xb
block return-icmp log proto udp from any to self Xb2
.....
#
pass out quick on $ext_if from <mynets> to <mycontry> no state Y
pass out log quick on $ext_if from <mynets> to <trap> no state Xc
pass out quick on $ext_if from <mynets> no state
....
--
Best Regards,
Guntis
