ut cannot be used
> as a conventional proxy (set up on the browser config). Reading the
> pf.conf man seems that there isn't a way to do that.
is the sslsplit transparent proxy running on the same machine on which
your web browsing happens? If the answer is yes, then PF simple rdr-to
will n
to send to my wireguard link (configured on this router) so I cooked up a
pf(4) line to match packets coming *in* on em2:
pass in on em2 proto tcp from 192.168.0.3 to (wg0:network) port
$nvr_wg0_allow_ports
quot;).
Also I tried to make an IF alias like this
ifconfig em0 inet 192.168.0.6 255.255.255.0
ifconfig em0 inet alias 192.168.0.7 255.255.255.0
my gw is 192.168.0.1
I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I
make a pf rule like this:
pass out log on em0 proto tcp from
] structure with pf
1. https://man.openbsd.org/pf.conf#TABLES
Sorry for the noise, I misread your question :P
--
Willy Manga
Hi,
On 12/06/2024 12:50, Kapetanakis Giannis wrote:
Hi,
[...]
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.com/firehol/iprange/wiki
I think that's why you have the 'tables' [1] structure with pf
1. https
Hi,
I have a couple of questions about pf tables.
1) Does it use radix tree and especially Patricia tree?
Trying to read the code and searches on web pointed to that.
2) I've found this tool yesterday (iprange) that it's job is to optimize large
sets of IPs/Networks
https://github.com/firehol
; > > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only
> > > > 64 physicals and carp interfaces but not my 45 vlan interfaces.
> > > >
> > > > My /etc/snmpd.conf
> > > > ROOT:amdrg2:/root > cat /etc/snmpd.conf
> >
On 11/06/2024 15:34, Martijn van Duren wrote:
> On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
>> On 10/06/2024 18:43, Marc Boisis wrote:
>>> Hello,
>>>
>>> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
>>>
Like Kapetanakis I have the 64 interface desc empty:
> snmpget -v2c -c public 127.0.0.1 OPENBSD-PF-MIB::pfIfDescr.64
OPENBSD-PF-MIB::pfIfDescr.64 = STRING:
So can we imagine a limit of 64 interfaces in the snmp (snmpd_metrics) code ?
> On 11 Jun 2024, at 14:34, Martijn van Duren
&
On Tue, 2024-06-11 at 14:56 +0300, Kapetanakis Giannis wrote:
> On 10/06/2024 18:43, Marc Boisis wrote:
> > Hello,
> >
> > I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> > physicals and carp interfaces but not my 45 vlan interfaces.
On 10/06/2024 18:43, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
> physicals and carp interfaces but not my 45 vlan interfaces.
>
> My /etc/snmpd.conf
> ROOT:amdrg2:/root > cat /etc/snmpd.conf
> listen on 12
Hello Marc,
I don't have access to such a machine, but my vlan interfaces do show up
for me. Could you try and find a reproducer?
martijn@
On Mon, 2024-06-10 at 17:43 +0200, Marc Boisis wrote:
> Hello,
>
> I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
&g
Hello,
I've a 7.5 openBSD router, when I'm asking OPENBSD-PF-MIB I have only 64
physicals and carp interfaces but not my 45 vlan interfaces.
My /etc/snmpd.conf
ROOT:amdrg2:/root > cat /etc/snmpd.conf
listen on 127.0.0.1 snmpv2c
read-only community public
"pfctl -sI" list all int
leaves, right?
Right.
> what does the gateway's routing table say about how to reach the destination
> network?
Good question. Does it matter what the routing table contains, when I am
explicitly specifying where to send a packet via a pf rule?
In any case, here it is:
mjoelnir:/etc 7.06 1
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote:
> On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> > pfctl reports:
> > # pfctl -vvs rules | grep @
> > @0 block return log all
> > @1 pass in log on em0 inet proto udp from
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> pfctl reports:
> # pfctl -vvs rules | grep @
> @0 block return log all
> @1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP
> @2 pass out log on ure0 all flags S/SA tagged UDP
>
> I
Hi Guys,
Thanks for the feedback, to address your points:
1> Possibly stupid question, but did you set the sysctl(s) to enable forwarding?
Yes I tried this pf rule change with version 4 forwarding
(net.inet.ip.forwarding) both enabled and disabled.
Either way the pf "pass out tagg
> > > between two systems, so I though perhaps I could use pf to do just that
> > > by writing some rules along the lines of:
> > >
> > > 1. pass in on iface A proto UDP ... tag mcast
> > > 2. pass out on iface B tagged mcast
> >
On 23/05/2024 20:18, Peter N. M. Hansteen wrote:
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
I need to quickly create a solution for forwarding multicast traffic
between two systems, so I though perhaps I could use pf to do just that
by writing some rules along
On Thu, May 23, 2024 at 11:14:20AM +0200, Why 42? The lists account. wrote:
> I need to quickly create a solution for forwarding multicast traffic
> between two systems, so I though perhaps I could use pf to do just that
> by writing some rules along the lines of:
>
> 1. p
Hi All,
I need to quickly create a solution for forwarding multicast traffic
between two systems, so I though perhaps I could use pf to do just that
by writing some rules along the lines of:
1. pass in on iface A proto UDP ... tag mcast
2. pass out on iface B tagged mcast
On 19/05/2024 19:35, Kapetanakis Giannis wrote:
> On 19/05/2024 14:37, Stuart Henderson wrote:
>> On 2024-05-19, Kapetanakis Giannis wrote:
>>> This is a bit strange. pf works normal, but rules after an enchor an
>>> being attached to the anchor (somehow).
>>>
On 5/19/24 13:37, Stuart Henderson wrote:
I can confirm this is a problem, definitely seen in 7.4, I can't remember
if 7.3 was affected. 7.2 from Dec 22 seems ok.
Yes, 7.3 is affected. It is the same problem reported here:
https://marc.info/?l=openbsd-misc=168754952806369
On 19/05/2024 14:37, Stuart Henderson wrote:
On 2024-05-19, Kapetanakis Giannis wrote:
This is a bit strange. pf works normal, but rules after an enchor an
being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor
(pf rule) number instead
On 2024-05-19, Kapetanakis Giannis wrote:
> This is a bit strange. pf works normal, but rules after an enchor an
> being attached to the anchor (somehow).
>
> All states that are created from rules after the anchor, show the anchor
> (pf rule) number instead of (only) the rule
This is a bit strange. pf works normal, but rules after an enchor an
being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor
(pf rule) number instead of (only) the rule number in pfctl -vv and in
pflog.
Here is a quite simple example
On Mon, 15 Apr 2024, at 21:33, Thomas wrote:
> Hi all,
>
> I'm greatly enjoying OpenBSD and have it on most of my devices as I try
> to set up my "perfect lab". I would like some feedback / thoughts about
> one behaviour which I don't quite get.
>
> I have a VM for the world facing side of my
Hi all,
I'm greatly enjoying OpenBSD and have it on most of my devices as I try to set
up my "perfect lab". I would like some feedback / thoughts about one behaviour
which I don't quite get.
I have a VM for the world facing side of my network. I have a wireguard network
to link it up to a
> I don't think there is at present. There are no "only use v4" or "only
> use v6" addresses modifiers, and pf isn't figuring out for itself that
> it only makes sense to use addresses from the relevant family for
> af-to translation addresses (although it _does_ do
" or "only
use v6" addresses modifiers, and pf isn't figuring out for itself that
it only makes sense to use addresses from the relevant family for af-to
translation addresses (although it _does_ do this for nat-to).
>> Regarding the other rules and tests, the ::1 rule is wro
> Try changing ($wan:0) to $(wan) and see what happens.
Huh, that worked! Thanks!
Try changing ($wan:0) to $(wan) and see what happens.
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
> af-to inet from "actual IP on igc0"/32
This worked! Specifically, I think the ($wan:0) was the problem. I
could've sworn I tried this
On 2024-03-15, Tobias Fiebig via misc wrote:
>
> Moin,
>> # perform nat64 (NOT WORKING)
>> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
>
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here"
Moin,
> # perform nat64 (NOT WORKING)
> pass in to 64:ff9b::/96 af-to inet from ($wan:0)
Can you try if the same happens with a more specific rule (for
testing)?
i.e.:
pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
af-to inet from "actual IP on igc0"/32
I am
.google.com +short
ipv4.l.google.com.
64:ff9b::8efa:bc0e
However, the pf rule using af-to does not appear to do anything and
I haven't been able to figure out why. When I try to ping6, I get 100%
packet loss.
I inspected packets through tcpdump (after adding "log" to everything
htly
> > varying results. guess i should go back and test ix with LRO off on
> > the pf box.
>
> Sorry, I don't get your problem. You changed your firewall NICs from
> ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying
> between 0.9 gbps and 1.0 gbps?
and ix)
em(4) does not support the LRO feature, just TSO with mglocker's diff.
> and very consistently getting close to the full 1gbps
> thruoghput on single tcp connections now instead of slower and slightly
> varying results. guess i should go back and test ix with LRO off on
> the pf
connections now instead of slower and slightly
varying results. guess i should go back and test ix with LRO off on
the pf box.
I have setup a transparent Tor proxy with the following pf ruleset:
https://paste.c-net.org/WharfSeasick
It routes most importantly all TCP and DNS traffic through the Tor network.
Now I want to have another rule for I2P bittorrent, meaning that there is a rule
for traffic that must be routed
> On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>>
>> "cbq can entirely be expressed in it" ok. so how do i set priorities for
>> queues in hfsc for my local(not for a router above that knows nothing about
>> my existence. tos is an absolutely unvia
On 2023/12/01 15:57, 4 wrote:
> >But CBQ doesn't help anyway, you still have this same problem.
> the problem when both from below and from above can be told to you "go and
> fuck yourself" can't be solved, but cbq gives us two mechanisms we need-
> priorities and traffic restriction. nothing
> On 2023-12-01, 4 wrote:
>I don't know why you are going on about SMT here.
i'm talking about not sacrificing functionality for the sake of hypothetical
performance. the slides say that using queues degrades performance by 10%. and
you're saying there won't be anything in the queues until an
6-fly, while ACKs would get priority of 7 and assigned to queue 7-ack.
Anyway, after years of usage, and lot of frustration in the beginning, I
find current approach more flexible, because in HFSC queue and priority
have to be the same, while in current pf we can set it to be exactly
like HFSC, but
>>> not a share of the total piece of the pie, and we don't need to know
>>> anything about the pie.
>
>> But unless you are sending more traffic than the *interface* speed,
>> you will be sending it out on receipt, there won't be any delays in
>> sending pac
and we don't need to know
>> anything about the pie.
> But unless you are sending more traffic than the *interface* speed,
> you will be sending it out on receipt, there won't be any delays in
> sending packets to the next-hop modem/router.
> There won't *be* any packets
hing
> about the pie.
But unless you are sending more traffic than the *interface* speed,
you will be sending it out on receipt, there won't be any delays in
sending packets to the next-hop modem/router.
There won't *be* any packets in the queue on the PF machine to send in
priority order.
> On Wed, 29 Nov 2023 00:12:02 +0300
> 4 wrote:
>> i haven't used queues for a long time, but now there is a need.
>> previously, queues had not only a hierarchy, but also a priority. now
>> there is no priority, only the hierarchy exists.
> It took me quite some time to wrap my head around
missing?
>>>
>>> man pf.conf
>>>
>>> Look for set tos. Just a few lines below set prio in the man age,
>>>
>>> You can have more then 8 if you need/have to.
>> > Only useful if devices upstream of the PF router know their available
>> band
ch queue.
Now all of the above is fine for home gateway with just "internet" and
"lan". Things get much more complicated if there are multiple VLANs on
internal interface, GRE / GIF of wireguard tunnels on external
interfaces etc.
I once had the privilege to sit with Henning, autho
On Thu, 2023-11-30 at 15:55 +0300, 4 wrote:
> "cbq can entirely be expressed in it" ok. so how do i set priorities
> for queues in hfsc
You stack HFSC with link-share service curves with linkshare criterion
1:0 - or in pf.conf(5) terms: "bandwidth 1" and "bandwidth 0".
Or you do not configure
need/have to.
Only useful if devices upstream of the PF router know their available
bandwidth and can do some QoS themselves.
Same can be said for CoS as well. You can only control what's going out
of your own network. After that as soon as it reach your ISP or what
not, you have no clue if t
ere running most certainly needed
> an upgrade anyway.
"cbq can entirely be expressed in it" ok. so how do i set priorities for queues
in hfsc for my local(not for a router above that knows nothing about my
existence. tos is an absolutely unviable concept in the real world) pf-router?
i don't see a word about it in man pf.conf
On Thu, Nov 30, 2023 at 03:55:49PM +0300, 4 wrote:
>
> "cbq can entirely be expressed in it" ok. so how do i set priorities for
> queues in hfsc for my local(not for a router above that knows nothing about
> my existence. tos is an absolutely unviable concept in the real
each connection, so even the basic bandwidth
> control can't really work, let alone prioritising access to the
> available capacity.
> Priorities work when you are trying to transmit more out of an interface
> than the bandwidth available on that interface.
> Say you have a box r
On Thu, Nov 30, 2023 at 02:57:23PM +0300, 4 wrote:
> so what happened to cbq? why such the powerful and useful thing was removed?
> or Theo delete it precisely because it was too good for obsd? %D
Actually, the new queueing system was done by Henning, planned as far back
as (at least) 2012
so what happened to cbq? why such the powerful and useful thing was removed? or
Theo delete it precisely because it was too good for obsd? %D
> You can have more then 8 if you need/have to.
Only useful if devices upstream of the PF router know their available
bandwidth and can do some QoS themselves.
h
control can't really work, let alone prioritising access to the
available capacity.
Priorities work when you are trying to transmit more out of an interface
than the bandwidth available on that interface.
Say you have a box running PF with a 1Gb interface to a
(router/modem/whatever) with an upli
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's
priorities), but who and why decided that eight would be enough? the one who created cbq- he
created it for practical tasks. but this "hateful eight" and this "flat-earth"-
i don't understand what use they
th queues?
> the older ALTQ system was replaced by a whole new system back in OpenBSD 5.5
> (or actually, altq lived on as oldqeueue through 5.6), and the syntax is both
> very different and in most things much simpler to deal with.
> The most extensive treatment available is
tem back in OpenBSD 5.5
(or actually, altq lived on as oldqeueue through 5.6), and the syntax is both
very different and in most things much simpler to deal with.
The most extensive treatment available is in The Book of PF, 3rd edition
(actually the introduction of the new queues was the reason fo
i haven't used queues for a long time, but now there is a need. previously,
queues had not only a hierarchy, but also a priority. now there is no priority,
only the hierarchy exists. i was surprised, but i thought that this is quite in
the way of Theo, and it is possible to simplify the queue
ble to connect via either connection at any time without changing the
> default gateway.
>
> A long time ago under the old pf syntax I had this in /etc/pf.conf which
> worked fine, and as far as I can remember was the only thing needed to enable
> this desired behavior:
>
>
the default gateway.
A long time ago under the old pf syntax I had this in /etc/pf.conf which worked
fine, and as far as I can remember was the only thing needed to enable this
desired behavior:
pass in on $wan1_if reply-to ( $wan1_if $wan1_gw )
pass in on $wan2_if reply-to ( $wan2_if $wan2_gw
Thnx, this seems toasting better..
On Sat, Nov 11, 2023 at 06:32:26PM +0100, Daniele B. wrote:
>
> "Peter N. M. Hansteen" wrote:
>
> > something like the good old
> > https://home.nuug.no/~peter/pf/newest/log2syslog.html should still
> > work, I think.
> >
> > - Peter
>
&g
"Peter N. M. Hansteen" wrote:
> something like the good old
> https://home.nuug.no/~peter/pf/newest/log2syslog.html should still
> work, I think.
>
> - Peter
To disable pflogd completely what to you consider best:
ifconfig pflog0 down
or
pflogd_flags="-f /dev/null"
= Daniele Bonini
On 11.11.2023. 12:13, Stuart Henderson wrote:
> On 2023-11-11, Peter N. M. Hansteen wrote:
>> On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
>>> what would be best way to log pf logs in ascii and sent it to remote
>>> syslog ? I'm aware of pfl
On 2023-11-11, Peter N. M. Hansteen wrote:
> On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
>> what would be best way to log pf logs in ascii and sent it to remote
>> syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog
>> server.
>
>
On Fri, Nov 10, 2023 at 08:23:54PM +0100, Hrvoje Popovski wrote:
> what would be best way to log pf logs in ascii and sent it to remote
> syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog
> server.
something like the good old
https://home.nuug.no/~peter/
Hi all,
what would be best way to log pf logs in ascii and sent it to remote
syslog ? I'm aware of pflow but I need ascii pf logs on remote syslog
server.
I remember that it was on https://www.openbsd.org/faq/pf/logging.html
and that that section was removed.
Old version is on https
ion is,
"Would it be safe for me to start writing a PF book?"
My answer is no. There is no guarantee that the effort you put in will
give satisfactory-to-you returns in any form or fashion. Writing is a
time sink and publishers may or may not be interested.
On the other hand if y
Peter,
Any plans to update it?
R/,
Jay
> For those interested in physical copies of The Book of PF
> (https://nostarch.com/pf3)
> -- it has been out of print, only available in electronic formats for a while
> --
> I just got word from No Starch Press
Hello Valdrin,
I am also aware that attaching PF to more than one CPU will not be enough,
and I think I have been misunderstood; I do not reproach about this. Just a
curiosity on my part.
As far as I learned from users who wrote me private messages, OpenBSD does
not have a public RoadMap
can say that OpenBSD is more
successful with 1518 byte TCP packets rather than 64 byte UDP packets.
From: owner-m...@openbsd.org on behalf of Gábor LENCSE
Sent: Wednesday, October 25, 2023 18:47
To: misc@openbsd.org
Subject: Re: Parallel PF
Hello Valdrin,
10
see "SMP Improvements" in page: https://www.openbsd.org/72.html
Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe
there is still time for that.
PF's performance can reach up to 10Gbps with the right CPU selection.
Expressing traffic in Gbps can be rather
. In fact, as far as I follow, there are some issues in the UDP_input
section.
Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe
there is still time for that.
PF's performance can reach up to 10Gbps with the right CPU selection. Do you
have traffic that exceeds this? Maybe
softnet kernel tasks to 4 is definitely being considered on the
>> PF side too, but I would like to express my concern about timing. Do you
>> have any schedule for this?
>>
>> I think one of the common prayers of all OpenBSD users is that PF will
>> speed up. Thank you for reading and my best regards.
>>
>> --
>> Sam
>>
>
I'm sure that something like parallel IP forwarding and increasing the
> number of softnet kernel tasks to 4 is definitely being considered on the
> PF side too, but I would like to express my concern about timing. Do you
> have any schedule for this?
>
> I think one of the common pray
Hello dear OpenBSD team,
I'm sure that something like parallel IP forwarding and increasing the
number of softnet kernel tasks to 4 is definitely being considered on the
PF side too, but I would like to express my concern about timing. Do you
have any schedule for this?
I think one
Congratulations on a successful 7.4 release!
I'm writing with a gentle feature request for pf; I asked about this
functionality a long time ago and have seen a few other related questions on
the list since then. Now that I've played with another NAT64 implementation
(Jool), I think I can
> On 15 Sep 2023, at 18:54, Stuart Henderson wrote:
>
> On 2023/09/15 13:40, Andy Lemin wrote:
>> Hi Stuart,
>>
>> Seeing as it seems like everyone is too busy, and my workaround
>> (not queue some flows on interfaces with queue defined) seems of no
>> interest,
>
> well, it might be, but
On 2023/09/15 13:40, Andy Lemin wrote:
> Hi Stuart,
>
> Seeing as it seems like everyone is too busy, and my workaround
> (not queue some flows on interfaces with queue defined) seems of no
> interest,
well, it might be, but I'm not sure if it will fit with how
queues work..
> and my current
Hi Stuart,Seeing as it seems like everyone is too busy, and my workaround (not queue some flows on interfaces with queue defined) seems of no interest, and my current hack to use queuing on Vlan interfaces is a very incomplete and restrictive workaround;Would you please be so kind as to provide me
On Thu, Sep 14, 2023 at 7:23 PM Andrew Lemin wrote:
>
>
> On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson <
> stu.li...@spacehopper.org> wrote:
>
>> On 2023-09-13, Andrew Lemin wrote:
>> > I have noticed another issue while trying to implement a 'prio'-only
>> > workaround (using only prio
On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson
wrote:
> On 2023-09-13, Andrew Lemin wrote:
> > I have noticed another issue while trying to implement a 'prio'-only
> > workaround (using only prio ordering for inter-VLAN traffic, and HSFC
> > queuing for internet traffic);
> > It is not
rculating on tech@ for further
> > discussion? Queueing at bps resolution is rather redundant nowadays, even
> > on the very slowest links.
>
> tech@ is more for diffs or technical questions rather than not-fleshed-out
> quick ideas. Doing this would solve some problems with the &q
On 2023-09-13, Andrew Lemin wrote:
> I have noticed another issue while trying to implement a 'prio'-only
> workaround (using only prio ordering for inter-VLAN traffic, and HSFC
> queuing for internet traffic);
> It is not possible to have internal inter-vlan traffic be solely priority
> ordered
nowadays, even
> on the very slowest links.
tech@ is more for diffs or technical questions rather than not-fleshed-out
quick ideas. Doing this would solve some problems with the "just change it
to 64-bit" mooted on the freebsd-pf list (not least with 32-bit archs),
but would still
gt;> >
>> > I have discovered that PF's queueing is still limited to 32bit bandwidth
>> > values.
>> >
>> > I don't know if this is a regression or not.
>>
>> It's not a regression, it has been capped at 32 bits afaik forever
>> (certain
gt; > I don't know if this is a regression or not.
>
> It's not a regression, it has been capped at 32 bits afaik forever
> (certainly was like that when the separate classification via altq.conf
> was merged into PF config, in OpenBSD 3.3).
>
Ah ok, it was talked abou
r
(certainly was like that when the separate classification via altq.conf
was merged into PF config, in OpenBSD 3.3).
> I am sure one of the
> objectives of the ALTQ rewrite into the new queuing system we have in
> OpenBSD today, was to allo
larger than 4294M. Maybe I am
imagining it..
Anyway, I am trying to use OpenBSD PF to perform/filter Inter-VLAN routing
with 10Gbps trunks, and I cannot set the queue bandwidth higher than a
32bit value?
Setting the bandwidth value to 4295M results in a value overflow where
'systat queues' shows
gt; > > only four but five CPU cores were used by IP packet forwarding:
> > the packet processing is done in kernel threads (task queues are built
> > on threads), and those threads could be scheduled on any cpu. the
> > pf purge processing runs in yet another thread.
> >
threads (task queues are built
on threads), and those threads could be scheduled on any cpu. the
pf purge processing runs in yet another thread.
iirc, the schedule scans down the list of cpus looking for an idle
one when it needs to run stuff, except to avoid cpu0 if possible.
this is why you see most
et processing is done in kernel threads (task queues are built
on threads), and those threads could be scheduled on any cpu. the
pf purge processing runs in yet another thread.
iirc, the schedule scans down the list of cpus looking for an idle
one when it needs to run stuff, except to avoid c
from 4 to 5?*
What it more crucial for me, are the stateful NAT64 the measurements
with PF.
My stateful NAT64 measurement are as follows.
1. Maximum connection establishment rate test uses a binary search to
find the highest rate, at which all connections can be established
through the statefu
; out. The paper mentions (section A.4) a boost in performance after
> > increasing the state table size limit. Not having looked at the
> > relevant code, so I'm guessing here, but this is a classic indicator
> > of a hashing algorithm falling apart when the table gets close to
>
, but this is a classic indicator
of a hashing algorithm falling apart when the table gets close to
full. Could it be that simple? I need to go digging into the pf
code for a closer look.
Beware, I wrote it about iptables and not PF!
As for iptables, it is really so simple. I have done a deeper
1 - 100 of 6769 matches
Mail list logo