Time to let go of ipfilter

Sepherosa Ziehau sepherosa at gmail.com
Tue Feb 22 02:59:05 PST 2011


On Tue, Feb 22, 2011 at 6:36 PM, Francois Tigeot <ftigeot at wolfpond.org> wrote:
> On Tue, Feb 22, 2011 at 11:49:49AM +0200, Atte Peltomäki wrote:
>> On Tue, Feb 22, 2011 at 10:16:48AM +0100, Francois Tigeot wrote:
>> > On Tue, Feb 22, 2011 at 10:45:35AM +0200, Atte Peltomäki wrote:
>> > > On Tue, Feb 22, 2011 at 02:20:59AM -0600, Chris Turner wrote:
>> > > > On 02/21/11 07:57, Atte Peltomäki wrote:
>> > > > > PF is simply too slow. It does have good functionality and it's easy to
>> > > > > use, but it doesn't scale beyond small/medium networks. I stress-tested
>> > > > > it some time ago and OpenBSD/pf could get a combined throughput of
>> > > > > around 1.6Gbps. FreeBSD/pf got a little better, but not so that it would
>> > > > > really mean much.
>> > > >
>> > > > What was the max {memory,pci,processor} bandwitdth on the machine under
>> > > > test?
>>
>> I see. It's been ages, but I found something that's more or less
>> relevant. It was DELL R710 I spoke of above, but R610 were quite equal in
>> performance, once I fixed bugs mentioned in these mails:
>>
>> http://kameli.org/r610-dmesg.txt
>> http://kameli.org/if_em-fixes.txt
>
> I see the CPUs were Xeon E5540.
> They have up to 25 GB/s of memory bandwidth per socket and the machine used
> a PCI-e bus which also had much more bandwidth than the 4 Gb/s of your
> network card.
> This should have been plenty.
>
> Still, I've not found an official product page on the Intel web site for your
> network adapter and given the bugs you have encountered, I wouldn't dismiss
> it entirely as the cause of some of your troubles.

How FreeBSD setting up the TX hardware checksum for em(4) is not
correct from performance point of view; it simply whacks all of the
pipelining effect of the hardware.

On my old athlon64 X2 3600+ w/ the old good 81571EB, I could push out
1.4Mpps w/ the em on dfly but if I setup the TX descriptor as what
FreeBSD does, I could only get 800Kpps on dfly.

So sometimes, don't blame poor firewall...

Best Regards,
sephe

-- 
Tomorrow Will Never Die






More information about the Kernel mailing list