Time to let go of ipfilter

Atte Peltomäki atte.peltomaki at iki.fi
Tue Feb 22 02:50:23 PST 2011 

On Tue, Feb 22, 2011 at 11:36:52AM +0100, Francois Tigeot wrote:
> On Tue, Feb 22, 2011 at 11:49:49AM +0200, Atte Peltomäki wrote:
> > On Tue, Feb 22, 2011 at 10:16:48AM +0100, Francois Tigeot wrote:
> > > On Tue, Feb 22, 2011 at 10:45:35AM +0200, Atte Peltomäki wrote:
> > > > On Tue, Feb 22, 2011 at 02:20:59AM -0600, Chris Turner wrote:
> > > > > On 02/21/11 07:57, Atte Peltomäki wrote:
> > > > > > PF is simply too slow. It does have good functionality and it's easy to
> > > > > > use, but it doesn't scale beyond small/medium networks. I stress-tested
> > > > > > it some time ago and OpenBSD/pf could get a combined throughput of
> > > > > > around 1.6Gbps. FreeBSD/pf got a little better, but not so that it would
> > > > > > really mean much.
> > > > > 
> > > > > What was the max {memory,pci,processor} bandwitdth on the machine under 
> > > > > test?
> > 
> > I see. It's been ages, but I found something that's more or less
> > relevant. It was DELL R710 I spoke of above, but R610 were quite equal in
> > performance, once I fixed bugs mentioned in these mails:
> > 
> > http://kameli.org/r610-dmesg.txt
> > http://kameli.org/if_em-fixes.txt
> 
> I see the CPUs were Xeon E5540.
> They have up to 25 GB/s of memory bandwidth per socket and the machine used
> a PCI-e bus which also had much more bandwidth than the 4 Gb/s of your
> network card.
> This should have been plenty.
> 
> Still, I've not found an official product page on the Intel web site for your
> network adapter and given the bugs you have encountered, I wouldn't dismiss
> it entirely as the cause of some of your troubles.

A broadcom chipset on same hardware was giving roughly same performance,
with perhaps 50-60Mbps difference. This given Intel chip IS sub-par for
what I'm used to, but not so that it could be blamed for bad
performance.

OpenBSD had one core out of sixteen sitting 100% utilized with interrupt
handler, rest just idling. FreeBSD was doing something a bit better
since it's throughput was higher, but not nearly as high as could be
expected from this hardware. I only tested FreeBSD anyway when I was
trying to figure out those kernel bugs, didn't spend more than half an
hour with it after seeing it works fine. 

PF simply handles packets in a completely serialized fashion and there's
no getting around it, unless multiple machines are used to share load.
This is my primary (and pretty much only) reason to be interested in
getting rid of PF. 

-- 
Atte Peltomäki
     atte.peltomaki at iki.fi <> http://kameli.org
"Your effort to remain what you are is what limits you"

More information about the Kernel mailing list