PF How to see numbers of CPU cycles for particular FW rule?

[Sergei_Shablovsky]

Dear FreeBSD Gurus!

This question are about measuring the effectiveness of the ruleset of firewall;

How to see the numbers of CPU cycles, which spends on particular FW rule ?

And better to see in conjunction: bytes(packets) / mediana of CPU cycles per packet which are accepted or rejected by this rule, - to determine which rules are highly loaded by traffic and how many CPU cycles this particular rule (mean it’s upcode) are eating.
(I read somewhere the ipfw able to doing that…)

This may be very helpful to optimizing the ruleset of whole FW.

Have a nice sunny days!

 

[cracauer@]

The "doubling" method should work here.

For the rule you want to measure, duplicate it (or 10x or whatever) and see how CPU load changes.

 

[Kristof Provost]

How to see the numbers of CPU cycles, which spends on particular FW rule ?

That's essentially useless, because you're not going to be measuring what you think you're measuring. pf only evaluates the rules for the first packet. Once it's accepted pf will create a state and future packets within that connection will match the state. No further rule evaluation will be done.
You could tell it not to keep state, but then you're not really measuring pf but some other, worse, firewall loosely based on pf.

 

[Sergei_Shablovsky]

The "doubling" method should work here.

For the rule you want to measure, duplicate it (or 10x or whatever) and see how CPU load changes.

Thank You for answering!

Could You be so please to explain Your answer?

How SEVERAL ABSOLUTELY IDENTICAL rules may reduce CPU loading, because all packets processed only by first rule from the set?

 

[Phishfry]

pftop just looks at states so for CPU monitoring you would do top -Pp using {ps -ax|grep pf} PID for measuring pf purge and pflogd CPU load?
I see no way of breaking the load down by individual rules.