Re: Update features on PF(OpenBSD4.2)
* Beavis [EMAIL PROTECTED] [2007-10-22 18:29]: hi folks, I saw this performance issue with pf on a AMD64firewall: below is the link http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html it states that pf on 4.2 performs much better than in 4.1. having said this, is it possible to be able to just update pf's feature instead of going through the entire OS upgrade? since im really going after the features of pf, and happy with how 4.1 is. any comments are awesomely appreciated. yes, excellent idea, that is exactly what you should do! Instead of doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody could easily do, you should figure out which files are pf, update them, figure out that the kernel doesn't build because of changes through the network stack, patch for a week or two until you have a kernel that builds, figure out pfctl, netstat and friends don't work, another week... a bit (about when these boring wackos that just upgrade install 4.3) later when you have a kernel that boots and a userland that seems to work with it, you have a totally unique system! nobody else is running that! ok, nobody else sees the crashes you do, but hey, they're all boring wackos. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Update features on PF(OpenBSD4.2)
Henning Brauer [EMAIL PROTECTED] writes: doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody could easily do, for some combinations of crappy old hardware, too small memory size and nonsensically large filesystems it might stretch into 20-odd minutes, but otherwise my sentiments exactly in the parts I've snipped. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Update features on PF(OpenBSD4.2)
On Mon, Oct 22, 2007 at 10:20:41AM -0600, Beavis wrote: | hi folks, | |I saw this performance issue with pf on a AMD64firewall: below is the link | | http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i2 0.html | | it states that pf on 4.2 performs much better than in 4.1. having said | this, is it possible to be able to just update pf's feature instead of | going through the entire OS upgrade? since im really going after the | features of pf, and happy with how 4.1 is. Some of the improvements are outside of pf (some drivers have had drastic improvements), so only updating pf may not even get you all the new performance improvements that were made between 4.1 and 4.2. However, since pf is part of the kernel, the short answer to your question is no. You must upgrade the kernel to be able to use the new pf. The new kernel requires new userland, so that too must be upgraded. If you really want, and are a highly qualified coder, you could try to backport the improvements to 4.1. You'll find that upgrading is way (and i do mean *WAY*) easier than doing this work. If you are such a skilled programmer, your time is probably better spent doing other useful stuff (maybe improve pf even more). The upgrade will take you a coupe of minutes to an hour, depending on your exact situation. The backport will take you probably about six months and a team of dedicated OpenBSD developers. You will at the end be left with something that is not OpenBSD 4.1 anymore. How (and when) are you going to upgrade that ? Unless you consider this backport-thing a fun excercise, I would recommend against doing it. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Update features on PF(OpenBSD4.2)
On 10/22/07, Beavis [EMAIL PROTECTED] wrote: hi folks, I saw this performance issue with pf on a AMD64firewall: below is the link http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html it states that pf on 4.2 performs much better than in 4.1. having said this, is it possible to be able to just update pf's feature instead of going through the entire OS upgrade? since im really going after the features of pf, and happy with how 4.1 is. I am not certain understand the negative impact of a full 4.2 upgrade Sam Fourman Jr.
Re: Update features on PF(OpenBSD4.2)
thanks for the reply guys, I currently run CARP and pfsync on both boxes (upgrade can be done with less downtime) though i haven't tried to stress test my setup, i guess this upgrade is do-able. instead of coding (im not a coder). regards, -beavis On 10/22/07, Paul de Weerd [EMAIL PROTECTED] wrote: On Mon, Oct 22, 2007 at 10:20:41AM -0600, Beavis wrote: | hi folks, | |I saw this performance issue with pf on a AMD64firewall: below is the link | | http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html | | it states that pf on 4.2 performs much better than in 4.1. having said | this, is it possible to be able to just update pf's feature instead of | going through the entire OS upgrade? since im really going after the | features of pf, and happy with how 4.1 is. Some of the improvements are outside of pf (some drivers have had drastic improvements), so only updating pf may not even get you all the new performance improvements that were made between 4.1 and 4.2. However, since pf is part of the kernel, the short answer to your question is no. You must upgrade the kernel to be able to use the new pf. The new kernel requires new userland, so that too must be upgraded. If you really want, and are a highly qualified coder, you could try to backport the improvements to 4.1. You'll find that upgrading is way (and i do mean *WAY*) easier than doing this work. If you are such a skilled programmer, your time is probably better spent doing other useful stuff (maybe improve pf even more). The upgrade will take you a coupe of minutes to an hour, depending on your exact situation. The backport will take you probably about six months and a team of dedicated OpenBSD developers. You will at the end be left with something that is not OpenBSD 4.1 anymore. How (and when) are you going to upgrade that ? Unless you consider this backport-thing a fun excercise, I would recommend against doing it. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
