Contributed by merdely on from the turbo-boosted dept.
Earlier today, mcbride@ committed code that only calls add_net_randomness() once per interrupt instead of once per packet. This significantly improves performance on Soekris boxes.
Then henning@ committed some changes that double PF performance by removing mbuf tag usage.
Edit: And even later, henning@ committed more changes to pf that gains another 10%+ performance with PF.Commit messages below.
CVSROOT: /cvs Module name: src Changes by: mcbride a t cvs openbsd org 2007/05/28 02:48:15 Modified files: sys/net : if.c netisr.h netisr_dispatch.h Log message: Only call add_net_randomness() once per interrupt instead of once per packet. If \ multiple packets come in on a single interrupt the times mixed into the randomness \ pool will be identical or predictably close anyways, and nanotime() is expensive. ok toby jason miod claudio
CVSROOT: /cvs Module name: src Changes by: henning a t cvs openbsd org 2007/05/28 11:16:39 Modified files: sys/altq : altq_cbq.c altq_hfsc.c altq_priq.c altq_red.c sys/kern : uipc_mbuf.c sys/net : if_bridge.c pf.c pf_norm.c pfvar.h sys/netinet : ip_input.c ipsec_input.c ipsec_output.c sys/netinet6 : ip6_forward.c ip6_input.c sys/sys : mbuf.h Log message: double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
More henning@ goodness:
CVSROOT: /cvs Module name: src Changes by: henning a t cvs openbsd org 2007/05/28 18:50:41 Modified files: sys/net : pf.c Log message: gain us another 10+% of performance. boring details: long time ago (in r1.313) code was added to handle protocol checksums: > Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets, > and drop packets with invalid checksums. Without such a check, pf would > return RST/ICMP errors even for packets with invalid checksums, which > could be used to detect the presence of the firewall, reported by > "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. that meant we did the checksumming for each and every packet traversing pf. now only do the checksumming right before we send an RST back, so in all other cases we save that work. ok bob theo
[Edit: Better phrack link]
Wow! Just Wow!
(Comments are closed)