BSD Router Project

User Tools

Site Tools

Trace:
documentation:examples:dropping_packets_at_high_rate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
documentation:examples:dropping_packets_at_high_rate [2020/02/07 16:29] – [Goal] olivierdocumentation:examples:dropping_packets_at_high_rate [2022/03/15 19:52] – [Using Chelsio's TCAM firewall] olivier
Line 12: Line 12:
   - First rule is to deny a blacklist table (IP addresses)   - First rule is to deny a blacklist table (IP addresses)
   - Second rule is to allow all the rest   - Second rule is to allow all the rest
-  - Disable the outgoing [[https://www.freebsd.org/cgi/man.cgi?query=pfil&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html|pfil(9)]] hook at IP level because we don't need to filter outgoing traffic+  - Disable the outgoing [[https://www.freebsd.org/cgi/man.cgi?query=pfil&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html|pfil(9)]] hook at IP level because we don't need to filter outgoing traffic in this case
  
 <code> <code>
Line 28: Line 28:
 </code> </code>
 ==== NIC level configuration ==== ==== NIC level configuration ====
-(A FreeBSD 13 head) only feature.+** A FreeBSD 13 (-head) only feature.**
  
-Only [[https://svnweb.freebsd.org/changeset/base/346632|iflib]][[https://svnweb.freebsd.org/changeset/base/356613|vtnet]], [[https://svnweb.freebsd.org/changeset/base/346247|Mellanox]] and [[https://svnweb.freebsd.org/changeset/base/357483|Chelsio]] drivers are "[[https://svnweb.freebsd.org/changeset/base/343631|Pfil Memory Pointer Hooks]]" compliant.+Currently the [[https://svnweb.freebsd.org/changeset/base/343631|Pfil Memory Pointer Hooks]] feature is supported by [[https://svnweb.freebsd.org/changeset/base/346632|iflib]], [[https://svnweb.freebsd.org/changeset/base/356613|vtnet]][[https://svnweb.freebsd.org/changeset/base/346247|Mellanox]] and [[https://svnweb.freebsd.org/changeset/base/357483|Chelsio]] drivers.
  
 The configuration file of an IPFW-at-NIC-level is this one: The configuration file of an IPFW-at-NIC-level is this one:
Line 56: Line 56:
 </code> </code>
  
-==== Performance impact ====+==== Performance benches ====
  
 Hardware: Hardware:
Line 85: Line 85:
         (Student's t, pooled s = 29598.4)         (Student's t, pooled s = 29598.4)
 </code> </code>
 +
 +On the 14Mpps of legitimate traffic, this generic (ie: supported by multi drivers) software firewall is still able to forward 12Mpps while droping 42Mpps of denied packets.
 ===== Using Chelsio's TCAM firewall ===== ===== Using Chelsio's TCAM firewall =====
  
Line 144: Line 146:
 The script report an hardware dropping rate of 32Mpps: Where are the other 10Mpps ? The script report an hardware dropping rate of 32Mpps: Where are the other 10Mpps ?
  
-Let's read the [[https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co|Chelsio default firmware configuration file of our T5 family NIC]]:+Let's read the [[https://cgit.freebsd.org/src/tree/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt|Chelsio default firmware configuration file of our T5 family NIC]]:
 <code> <code>
         # TCAM has 8K cells; each region must start at a multiple of 128 cell.         # TCAM has 8K cells; each region must start at a multiple of 128 cell.
Line 163: Line 165:
 </code> </code>
  
-To improve the TCAM performance for a filtering usage, all unused "regions" will be disabled to kept only the route and filter.+To improve the TCAM performance for a filtering usage, all unused "regions" will be disabled to kept only the route and filter (32 entries for route + 2016 for filter = 2048 total).
  
-For that we need to download a [[https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co|default TCAM firmware configuration file for our T5 NIC]] to modify its parameters then load the modified configuration into the NIC flash and instruct the NIC to use the file from its flash.+For that we need to download a [[https://cgit.freebsd.org/src/tree/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt|default TCAM firmware configuration file for our T5 NIC]] to modify its parameters then load the modified configuration into the NIC flash and instruct the NIC to use the file from its flash.
 <code> <code>
-# fetch -o /etc/t5fw.txt 'https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co'+# fetch -o /etc/t5fw.txt https://cgit.freebsd.org/src/plain/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt
 # sed -i "" -e "s/nclip.*/nclip = 0/" /etc/t5fw.txt # sed -i "" -e "s/nclip.*/nclip = 0/" /etc/t5fw.txt
 # sed -i "" -e "s/nfilter.*/nfilter = 2016/" /etc/t5fw.txt # sed -i "" -e "s/nfilter.*/nfilter = 2016/" /etc/t5fw.txt
documentation/examples/dropping_packets_at_high_rate.txt · Last modified: 2024/02/09 09:42 by olivier
Except where otherwise noted, content on this wiki is licensed under the following license: BSD 2-Clause
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki