I have a pair of Sun Fire X2100M2's connected via 100M eth switches
(yeah, crippling gig-E) and running pfil 2.1.11, ip_fil4.1.16 and
was noticing significant TCP throughput performance differences
for traffic between various ethernet interfaces on the two systems.
(both systems running Solaris 10/x86 6/06 with 26 Feb recommmended
patch cluster, NVIDIA add-on driver patch 122530-02 for nge)
eg: system1 bge0 -> system2 bge0 1700KB/s
system1 bge1 -> system2 bge1 11000KB/s
system1 nge1 -> system2 nge1 11000KB/s
With top I noticed a significant portion of system time being consumed
in the bge0 test (like 50%).
Using
lockstat -kIi997 sleep 10
it seems this was due to the unconditional sprintf inside pfil_printmchain()
that formats every packet's data as hex and then throws it all away.
(I have PFILDEBUG enabled, but pfildebug=0 as they are by default)
It seems to me that there should be an extra test in pfil_printmchain()
for pfildebug, and if its zero (or maybe less than 50), just return,
to save the time waste.
What is curious though is that this problem only manifests itself
on one of the 3 interfaces I have enabled in the system, suggesting
something else is broken, as I would have though that all interface
traffic would pass thru the same code.
(yes I've verified pfil module is pushed on all interfaces)
It doesn't manifest itself on another X2100M2 system that only has
bge0 enabled but.
Not sure if pfil2.1.12 fixes this but:
http://coombs.anu.edu.au/~avalon/ipf-mentat.html
isn't reachable right now (some problem at ANU it seems).
I also saw another posting on this list a while back about this issue,
and PFILDEBUG enabled ...
Subject: Re: ipfilter and backup software?
From: Andrew Wenlang Zhu <[EMAIL PROTECTED]>
Date: Fri, 06 Oct 2006 11:09:48 -0700 (Sat 04:09 EST)
seems it hasn't been fixed yet.
Ian D
