Differences

This shows you the differences between two versions of the page.

--- documentation:examples:dropping_packets_at_high_rate [2020/02/07 16:29] – [Goal] olivier
+++ documentation:examples:dropping_packets_at_high_rate [2024/02/09 09:42] (current) – [NIC level configuration] olivier
@@ Line 12: / Line 12: @@
   - First rule is to deny a blacklist table (IP addresses)
   - Second rule is to allow all the rest
-  - Disable the outgoing [[https://www.freebsd.org/cgi/man.cgi?query=pfil&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html|pfil(9)]] hook at IP level because we don't need to filter outgoing traffic
+  - Disable the outgoing [[https://www.freebsd.org/cgi/man.cgi?query=pfil&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html|pfil(9)]] hook at IP level because we don't need to filter outgoing traffic in this case
 <code>
@@ Line 28: / Line 28: @@
 </code>
 ==== NIC level configuration ====
-(A FreeBSD 13 / head) only feature.
-Only [[https://svnweb.freebsd.org/changeset/base/346632|iflib]], [[https://svnweb.freebsd.org/changeset/base/356613|vtnet]], [[https://svnweb.freebsd.org/changeset/base/346247|Mellanox]] and [[https://svnweb.freebsd.org/changeset/base/357483|Chelsio]] drivers are "[[https://svnweb.freebsd.org/changeset/base/343631|Pfil Memory Pointer Hooks]]" compliant.
+Currently the [[https://svnweb.freebsd.org/changeset/base/343631|Pfil Memory Pointer Hooks]] feature is supported by [[https://svnweb.freebsd.org/changeset/base/346632|iflib]], [[https://svnweb.freebsd.org/changeset/base/356613|vtnet]], [[https://svnweb.freebsd.org/changeset/base/346247|Mellanox]] and [[https://svnweb.freebsd.org/changeset/base/357483|Chelsio]] drivers.
 The configuration file of an IPFW-at-NIC-level is this one:
@@ Line 56: / Line 55: @@
 </code>
-==== Performance impact ====
+==== Performance benches ====
 Hardware:
@@ Line 85: / Line 84: @@
         (Student's t, pooled s = 29598.4)
 </code>
+On the 14Mpps of legitimate traffic, this generic (ie: supported by multi drivers) software firewall is still able to forward 12Mpps while droping 42Mpps of denied packets.
 ===== Using Chelsio's TCAM firewall =====
@@ Line 144: / Line 145: @@
 The script report an hardware dropping rate of 32Mpps: Where are the other 10Mpps ?
-Let's read the [[https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co|Chelsio default firmware configuration file of our T5 family NIC]]:
+Let's read the [[https://cgit.freebsd.org/src/tree/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt|Chelsio default firmware configuration file of our T5 family NIC]]:
 <code>
         # TCAM has 8K cells; each region must start at a multiple of 128 cell.
@@ Line 163: / Line 164: @@
 </code>
-To improve the TCAM performance for a filtering usage, all unused "regions" will be disabled to kept only the route and filter.
+To improve the TCAM performance for a filtering usage, all unused "regions" will be disabled to kept only the route and filter (32 entries for route + 2016 for filter = 2048 total).
-For that we need to download a [[https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co|default TCAM firmware configuration file for our T5 NIC]] to modify its parameters then load the modified configuration into the NIC flash and instruct the NIC to use the file from its flash.
+For that we need to download a [[https://cgit.freebsd.org/src/tree/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt|default TCAM firmware configuration file for our T5 NIC]] to modify its parameters then load the modified configuration into the NIC flash and instruct the NIC to use the file from its flash.
 <code>
-# fetch -o /etc/t5fw.txt 'https://svnweb.freebsd.org/base/head/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt?view=co'
+# fetch -o /etc/t5fw.txt https://cgit.freebsd.org/src/plain/sys/dev/cxgbe/firmware/t5fw_cfg_hashfilter.txt
 # sed -i "" -e "s/nclip.*/nclip = 0/" /etc/t5fw.txt
 # sed -i "" -e "s/nfilter.*/nfilter = 2016/" /etc/t5fw.txt