Still dealing with pf performance issues

[Russell Fulton]

Hi Folks

First off I *am* planning to install 4.2 on this box as soon as we can
-- The CD are in the mail somewhere between North America and NZ ;)

Over the last few days I have been closely monitoring the vital signs
via pfctl -si, here is a typical view:

State Table                          Total             Rate
  current entries                    49289              
  searches                    119893712718        22046.2/s
  inserts                       1978241687          363.8/s
  removals                      1978192398          363.8/s
Counters
  match                        68198321520        12540.4/s
  bad-offset                             0            0.0/s
  fragment                           23546            0.0/s
  short                               7476            0.0/s
  normalize                          50171            0.0/s
  memory                            360196            0.1/s
  bad-timestamp                          0            0.0/s
  congestion                       3163777            0.6/s
  ip-option                          10950            0.0/s
  proto-cksum                     45916863            8.4/s
  state-mismatch                  26670110            4.9/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s


I note that "memory" counter is going up at a rate of 0.1/s.  My
understanding is that this counter is stepped when pf fails to get
memory for a state entry but we are no where near the state limit:

$ sudo  head /etc/pf.conf     
set limit states 150000
set timeout tcp.first 120
set timeout tcp.established 86400
set timeout { adaptive.start 90000, adaptive.end 250000}

So clearly there is something I don't understand.


Even more of a worry is the congestion counter is at 0.6/s and worse it
has stayed at this level even though I have made considerable
optimisations to the rule set.   The bulk of the rules are generated by
a script from at database.  When I initially did this performance was
not an issue so I did not worry about ordering.  (I don't think the
pfctl -o switch was around then).  I removed a lot of (hundreds) of
small tables (with less than 4 addresses in them) and replaced them with
multiple rule and added -oo to the the load.  To my surprise  this
appears to have had almost no effect on the cpu usage (which sits at
around %50 Interupts and nothing anywhere else) or the pfctl -si output.

Is there something else I might be missing missing?

BTW according to the pf stats from symon we are seeing about 10K
packets/sec in and out of the firewall (this matches the state searches
above).  I'm not sure what time these are averaged over so peaks could
be well in excess of this.


Russell