Le Fri, 25 Feb 2011 08:41:20 +0900,
Ryan McBride <mcbr...@openbsd.org> a icrit :
> On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote:
> > I log the congestion counter (each 10s) and there are at max 3 or 4
> > congestions per day. I don't think the bottleneck is pf.
>
> The congestion counter doesn't directly mean you have a bottleneck in
> PF; it's triggered by the IP input queue being full, and could
> indicate a bottleneck in other places as well, which PF tries to help
> out with by dropping packets earlier.
>
>
> > > Interface errors?
> >
> > Quite a lot.
>
> The output of `systat mbufs` is worth looking at, in particular the
> figure for LIVELOCKS, and the LWM/CWM figures for the interface(s) in
> question.
>
> If the livelocks value is very high, and the LWM/CWM numbers are very
> small, it is likely that the MCLGETI interface is protecting your
> system from being completly flattened by forcing the em card to drop
> packets (supported by your statement that the error rate is high). If
> it's bad enough MCLGETI will be so effective that the pf congestion
> counter will not get increment.
systat mbufs:
IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM
System 256 375 149
2k 240 1125
em0 1772 2k 80 4 256 80
em1 11 2k 5 4 256 5
em2 293 2k 110 4 256 110
em3
em4 18 2k 11 4 256 11
em5 10 2k 12 4 256 12
em6 14 2k 5 4 256 5
bnx0 3 2k 4 2 510 4
bnx1 1 2k 4 2 510 4
bnx3 1 2k 2 2 510 2
>
>
> You mentioned the following in your initial email:
>
> > #define MAX_INTS_PER_SEC 8000
> >
> > Do you think I can increase this value? The interrupt rate of the
> > machine is at max ~60% (top).
>
> Increasing this value will likely hurt you. 60% interrupt rate sounds
> about right to me for a firewall system that is running at full tilt;
> 100% interrupt is very bad, if your system spends all cycles servicing
> interrupts it will not do very much of anything useful.
>
>
> >dmesg:
> > em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev
> > 0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d
> >
> > em4 at pci9 dev 0 function 0 "Intel PRO/1000 QP (82575GB)" rev 0x02:
> > apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80
>
> How about a _full_ dmesg, so someone can take a wild guess at what
> your machine is capable of?
>
> -Ryan
>
--
--
Patrick Lamaizihre
CRI Universiti de Rennes 1
Til: 02 23 23 71 45
