pf vs mp

classic Classic list List threaded Threaded
39 messages Options
12
Reply | Threaded
Open this post in threaded view
|

pf vs mp

quartz-2
Quick question: I need to make a decision between a faster single core
and a slower multicore. The faq currently states that pf gets no
improvement from mp. Is this still correct/current information?
Presumably it would see no benefit from hyperthreading either, right?

For an OpenBSD machine acting as a gateway/firewall/router with a
handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
Em 31-08-2015 23:38, Quartz escreveu:
> Quick question: I need to make a decision between a faster single core
> and a slower multicore. The faq currently states that pf gets no
> improvement from mp. Is this still correct/current information?

Not anymore. There has been some work on mp support, although I don't
think it made 5.8. Nor that it will make 5.9, for that matter.

> For an OpenBSD machine acting as a gateway/firewall/router with a
> handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Of course, yes. Just because PF doesn't get any benefits (yet) from MP,
it doesn't mean these other programs won't. That being said, you'll
probably be ok with a single core. But, if you machine have no problems
with it, using MP won't hurt, and will definitely improve your performance.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

fwsoucy
In reply to this post by quartz-2
On 2015.08.31, Quartz wrote:
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> related tasks (pf, dhcp server, etc) would mp yield anything?

are we talking home router here or something more specialized?

there is not really any *negative* to mp besides maybe cost/power consumption.
the use of multi core vs single core is going to come down to your
specific needs and expected use/load for the machine. ex:

my home router is an intel atom d2550(dual core/ht 1.8ghz) gbe
running pf, ntpd, dns, dhcpd and wifi for ~12 machines and doesnt
break a sweat. my rig spends most of its time scaled down to 224mhz.
this is fine. i don't loose anything by using a mp system and i woudn't
gain any more performance with a single core machine.

now if i needed a gateway/firewall for say 50 machines it would be different.
dns, ntp, dhcp would all be moved to other machines on the network and a
faster single core cpu would be preferable. after all its only job is to
route packets as fast as it can.

if your need is high performance routing go single core.
if you need something more general purpose go multi core.
if you want to future proof for smp pf go multi core.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

phessler
In reply to this post by quartz-2
Are you doing anything above 5Gbps?  Or above 500k pps?

if not, get whichever.

If you are, then higher frequency cores are better; today.

If you are running dhcp server, then you are likely not.



On 2015 Aug 31 (Mon) at 22:38:47 -0400 (-0400), Quartz wrote:
:Quick question: I need to make a decision between a faster single core and a
:slower multicore. The faq currently states that pf gets no improvement from
:mp. Is this still correct/current information? Presumably it would see no
:benefit from hyperthreading either, right?
:
:For an OpenBSD machine acting as a gateway/firewall/router with a handful of
:related tasks (pf, dhcp server, etc) would mp yield anything?
:

--
Even if you're on the right track, you'll get run over if you just sit there.
                -- Will Rogers

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

lists-2
In reply to this post by quartz-2
> Quick question: I need to make a decision between a faster single core
> and a slower multicore.

Quick answer: faster multiple cores within similar thermal envelope,
i.e. newer lithography.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Giancarlo Razzolini-3
>> For an OpenBSD machine acting as a gateway/firewall/router with a
>> handful of related tasks (pf, dhcp server, etc) would mp yield anything?
>
> Of course, yes. Just because PF doesn't get any benefits (yet) from MP,
> it doesn't mean these other programs won't.

Sorry that was unclear wording on my part. This machine is 95% pf
routing with some dhcp/dns on the side- AFAIK those won't account for
much so if there's nothing else there wouldn't really be a benefit going
multicore, right?

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by fwsoucy
> are we talking home router here or something more specialized?

A little more specialized. It's a sort of embedded system and it needs
to fit within some size/thermal/watts/noise constraints. It needs to
serve something roughly equivalent to a small office.

> now if i needed a gateway/firewall for say 50 machines it would be different.
> dns, ntp, dhcp would all be moved to other machines on the network

This has to be one physical box.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 10:21, Quartz escreveu:
>
> Sorry that was unclear wording on my part. This machine is 95% pf
> routing with some dhcp/dns on the side- AFAIK those won't account for
> much so if there's nothing else there wouldn't really be a benefit
> going multicore, right?

Dhcp, no. DNS, yes. As I mentioned, I have a small home server which is
single core that has a lot more daemons running and it doesn't break a
sweat. A small office isn't that much different from a home server. I
see, that more than really wanting to know if you'd be ok with mp,
you're seeking validation to go through with a single core. If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
>A small office isn't that much different from a home server.

It's not actually a small office, that's just the best analogy I could
think of.


>I
> see, that more than really wanting to know if you'd be ok with mp,
> you're seeking validation to go through with a single core.

Well... that's kind of the same thing though, isn't it? Hypothetically,
if I have a single core with a speed of "1" vs say a dual core where
each core has a speed of ".75", I'm getting the impression that the dual
will end up being likely slower, given that pf is currently single
threaded and the other stuff isn't accounting for much overhead. Even
though the total computational power of the dual core would be 50% more,
that extra power is effectively unusable.


>If you're
> only using pf, dhcpd and dns server, it will work. But don't expect it
> to scale too well if your small office becomes a medium sized office.

Again, it's not actually an office, and it won't need to scale, at least
not by much.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Giancarlo Razzolini-3
> Dhcp, no. DNS, yes.

Also, does a local DNS resolver really consume that much cpu that it
would see any notable effect from having another core? I thought that
was more a RAM thing.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 14:18, Quartz escreveu:
> It's not actually a small office, that's just the best analogy I could
> think of.

My home server many times ends up having more traffic to deal with than
my small office. So an analogy not always plays in our favour.

> Well... that's kind of the same thing though, isn't it?
> Hypothetically, if I have a single core with a speed of "1" vs say a
> dual core where each core has a speed of ".75", I'm getting the
> impression that the dual will end up being likely slower, given that
> pf is currently single threaded and the other stuff isn't accounting
> for much overhead. Even though the total computational power of the
> dual core would be 50% more, that extra power is effectively unusable.

Not exactly. In your case, you are using only a dhcp server and a dns
server, along with pf. I'm confident that in most cases you will perform
better having the single core at 100% speed than two cores at 75% speed.
But don't expect consistent performance through peaks and heavy loads.
Again, it all depends on your use case. As other people mentioned, if
you are that concerned about pf performance (you shouldn't be), them run
only pf, with no other daemons or process with it.

> Again, it's not actually an office, and it won't need to scale, at
> least not by much.

If you expect consistent traffic, it perhaps would be better to actually
measure it, and only then decide. pflow(4) and nfsen come to mind. symon
is another good candidate. With that, you can deploy only the amount of
hardware needed.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 14:21, Quartz escreveu:
> Also, does a local DNS resolver really consume that much cpu that it
> would see any notable effect from having another core? I thought that
> was more a RAM thing.

If it will be the resolver for your entire internal LAN (and the
firewall itself), then it will consume more RAM and CPU than pf. Having
more of both in this case is better. Again, each case is different and
you should really try and see. Also, all of this might become somewhat
irrelevant when (if) the mp pf patch enters base.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

patric conant
On Tue, Sep 1, 2015 at 12:41 PM, Giancarlo Razzolini <[hidden email]>
wrote:

> Em 01-09-2015 14:21, Quartz escreveu:
> > Also, does a local DNS resolver really consume that much cpu that it
> > would see any notable effect from having another core? I thought that
> > was more a RAM thing.
>
> If it will be the resolver for your entire internal LAN (and the
> firewall itself), then it will consume more RAM and CPU than pf. Having
> more of both in this case is better. Again, each case is different and
> you should really try and see. Also, all of this might become somewhat
> irrelevant when (if) the mp pf patch enters base.
>
> Cheers,
> Giancarlo Razzolini
>
>
Quartz,

This becomes a complex question, but the short answer is to use the
multi-processor system. The single core will perform better when you care
nothing about your performance, the multi-core system will perform better
the only time you care at all about performance. The issue here is that you
aren't actually interested in being faster when you're not under some sort
of load, just being adequate. However, when approaching the event of the
firewall being your bottleneck, you'll be under load, or you won't be
approaching it, at that moment, simultaneously serving out DNS requests,
and continuing to service packet forwarding is the desired effect, and not
paying a context-switching tax during these simultaneous load events will
make a bigger difference than any other single factor. The single-core
approach achieves instead being most efficient under the least load, while
that might make up the largest percentage of the system's life, who cares
how fast you are when you aren't doing anything.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
>not
> paying a context-switching tax during these simultaneous load events will
> make a bigger difference than any other single factor.

I guess that's what I was getting at in my original poorly worded
question: at what point do context switches negate the benefit of a
faster single core (given a situation where the machine is only running
a handful of services). I realize that's hard to answer without first
providing extensive hardware and use case details though.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by patric conant
>but the short answer is to use the
> multi-processor system. The single core will perform better when you care
> nothing about your performance, the multi-core system will perform better
> the only time you care at all about performance.

I think some information is getting lost here. I'm not comparing single
vs multi core operation in a purely mathematical sense on identical
hardware. I'm trying to decide between a setup that uses a relatively
fast single core vs a setup that uses slower multi cores. In aggregate
the multiple cores have more processing power than the fast single, but
in isolation are notably slower. The workload is mainly pf, and given
that pf is currently single threaded, I'm trying to figure out if the
other stuff on the box causes enough overhead that going with slower
multi cores will end up being faster in the end or not.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

patric conant
Quartz,

I'm sorry I'm not familiar with either of the processor's you're
describing. In the vague terms you have given, I am 100% that the answer is
use the multicore setup.

On Tue, Sep 1, 2015 at 2:06 PM, Quartz <[hidden email]> wrote:

> but the short answer is to use the
>> multi-processor system. The single core will perform better when you care
>> nothing about your performance, the multi-core system will perform better
>> the only time you care at all about performance.
>>
>
> I think some information is getting lost here. I'm not comparing single vs
> multi core operation in a purely mathematical sense on identical hardware.
> I'm trying to decide between a setup that uses a relatively fast single
> core vs a setup that uses slower multi cores. In aggregate the multiple
> cores have more processing power than the fast single, but in isolation are
> notably slower. The workload is mainly pf, and given that pf is currently
> single threaded, I'm trying to figure out if the other stuff on the box
> causes enough overhead that going with slower multi cores will end up being
> faster in the end or not.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Atanas Vladimirov
In reply to this post by quartz-2
On 01.09.2015 22:06, Quartz wrote:

>> but the short answer is to use the
>> multi-processor system. The single core will perform better when you
>> care
>> nothing about your performance, the multi-core system will perform
>> better
>> the only time you care at all about performance.
>
> I think some information is getting lost here. I'm not comparing
> single vs multi core operation in a purely mathematical sense on
> identical hardware. I'm trying to decide between a setup that uses a
> relatively fast single core vs a setup that uses slower multi cores.
> In aggregate the multiple cores have more processing power than the
> fast single, but in isolation are notably slower. The workload is
> mainly pf, and given that pf is currently single threaded, I'm trying
> to figure out if the other stuff on the box causes enough overhead
> that going with slower multi cores will end up being faster in the end
> or not.

  I red all thoughts till now and my advice is if you are going to buy
  a new hardware now (year 2015) take multi core CPU.
  The OpenBSD just get better every day and if you follow tech@,
source-changes@
  and misc@ you already know that our beloved OS soon or later will
spread load
  on all CPU/CORES (device drivers, TCP/IP stack, pf and so on).

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 16:06, Quartz escreveu:

> I think some information is getting lost here. I'm not comparing
> single vs multi core operation in a purely mathematical sense on
> identical hardware. I'm trying to decide between a setup that uses a
> relatively fast single core vs a setup that uses slower multi cores.
> In aggregate the multiple cores have more processing power than the
> fast single, but in isolation are notably slower. The workload is
> mainly pf, and given that pf is currently single threaded, I'm trying
> to figure out if the other stuff on the box causes enough overhead
> that going with slower multi cores will end up being faster in the end
> or not.

The short answer is, unless you can guarantee that pf will have its own
core and no other process will race against it (you can't), then go for
the mp. Truth is, that pf is so fast, that the bottleneck almost never
is it. If you ever reach a point where pf is giving you trouble, than
I'm guessing you're a backbone with tons of GB/s of traffic. And even
then it can adjusted to not give you trouble. Clearer now?

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Joseph Borg
In reply to this post by quartz-2
Maybe this webpage would help you make an informed choice?

https://calomel.org/pf_config.html

Sent from my iPod

> On 01 Sep 2015, at 04:38, Quartz <[hidden email]> wrote:
>
> Quick question: I need to make a decision between a faster single core and a slower multicore. The faq currently states that pf gets no improvement from mp. Is this still correct/current information? Presumably it would see no benefit from hyperthreading either, right?
>
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

James Shupe-4
On 9/1/2015 3:40 PM, Joseph Borg wrote:
> Maybe this webpage would help you make an informed choice?
>
> https://calomel.org/pf_config.html
>

You must be new around here.

--
James Shupe

12