Understanding firewalling process

PeterZ · Aug 10, 2007, 4:11 PM

This question is likely more FreeBSD and PF related but I have not found a good documentation about it out where so would be happy if someone points me to the one.

Good understanding of internal works would help with performance tuning.

When packet comes from the network it is stored in network card buffer and fetched from it on the interrupt, probably few at the time.
Does when packets stored in some buffer or are they passed to firewall filtering during interrupt handling ?

Now when it comes to firewalling/nating process what are the aspects affecting performance besides number of rules ?

I'm honestly a bit puzzled with what I observe right now. I can see 70-80% of CPU usage reported as "Interrupt Time" vs just 1% system. This seems to show filtering is happening in the interrupt mode or for some strange reason counted in interrupt time for different reason.

On other hand there are some 10.000 of context switches per second which means a lot of context switches are happening which would not need to be if filtering is done during the interrupt handling.

It also does not seems to match 1% of CPU usage - I'd expect a bit larger value for this amount of switches.