On 2007/10/31 14:02, Guntis Bumburs wrote: > It would be nice if there was a knob to mark some rules "skip on high load" > so > they would be skipped to avoid congestion.
So, when the system is already busy, it has to do extra processing to figure out which rules to use? Hmmmm... > I suspected the rule marked with "Y" because table <mycountry> contains hole > country aggregated IP's list Tables are quite low-overhead. > Had to take out rule "X" and no more sign of congestion > scrub in > X Well, scrub is a relatively expensive operation, but without it you can't rely on end hosts processing packets the same way as PF sees them (for example, different OS handle overlapping fragments in different ways, and this ambiguity can be used to bypass your firewall). If you didn't already bump net.inet.ip.ifq.maxlen, doing so should help a lot. But, for sure, make the 4.2 upgrade a priority.
