Time to let go of ipfilter

Sepherosa Ziehau sepherosa at gmail.com
Sat Jan 22 08:09:44 PST 2011

On Fri, Jan 21, 2011 at 8:23 PM, joris dedieu <joris.dedieu at gmail.com> wrote:
> 2011/1/21 Sepherosa Ziehau <sepherosa at gmail.com>:
>> Hi all,
> Hi sephe
>> ipfilter is not maintained in dragonfly at all, I plan to remove it.
> Just a word about it. Currently we (a french hoster http://www.nfrance.com) use
> DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines)
> with quagga and ipf. And its work really well (better than FreeBSD we were
> previously using).
> Our requirement for routing machines is to be able to gracefuly handle
> 200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing
> (full table). Crash test is at 400mb/s in lab.
> We choose ipf for historical reasons (previously used on FreeBSD). But
> we experienced on FreeBSD that it's really faster than pf.
> Do you think there is currently an other software (maybe ipfw) that can
> filter 200/300 mb/s load ?

Stateless ipfw in dfly is completely lockless and MPSAFE.

As about how much it could push, it depends on how many static rules
you are going to use.

As far as I have tested, when I finish the code to make ipfw MPSAFE
(following is tested w/ smallest packets):
w/o ipfw 600Kpps~650Kpps
w/ ipfw one default rule 500Kpps~550Kpps
w/ ipfw 30 no-match rules ~300Kpps

I have tested w/ 100 no-match rules, but I didn't remember the result
clearly, should be ~100Kpps.  All of the above results were measured
using simplest routing table and polling(4) at 1000Hz.  The hardware
is phenom9550 w/ 2G memory w/ Intel 82571EB.

BTW, ipfw static rule evaluation is known to be faster than others.

Best Regards,

Tomorrow Will Never Die

More information about the Kernel mailing list