Re: ebtables and smp machines

To: debian-isp@lists.debian.org
Subject: Re: ebtables and smp machines
From: Arnt Karlsen <arnt@c2i.net>
Date: Thu, 2 Dec 2004 23:39:28 +0100
Message-id: <[🔎] 20041202233928.21ef025c.arnt@c2i.net>
In-reply-to: <[🔎] 20041202163637.GB5571@annapolislinux.org>
References: <[🔎] 20041202163637.GB5571@annapolislinux.org>

On Thu, 2 Dec 2004 11:36:37 -0500, Theodore wrote in message 
<[🔎] 20041202163637.GB5571@annapolislinux.org>:

> Are there any dual processor firewalls out there ?
> 
> I am just curious if most firewalls are single CPU machines. I put a
> SMP firewall in place yesterday and I think I may have misconfigured
> something. :)
> 
> My problem is that I have been running ebtables as a kernel module in
> the 2.6.8 SMP kernel. The kernel is compiled for bridge support and
> bridging is enabled, which is very IRQ intensive.

..generally or just for smp bridges?
 
> The 700Mhz P3 dual processor machine is bridge for a T3(DS3) line to

..mine is a 1.2G single Duron, on a lazy 20MB/s line outside a ditto
Duron router.  No ebtables, though, and it's due for replacement by 
an one-box throttling router built on the same hardware.

> our network. Today, when I made a minor update to the firewall rules
> and ran the changes, it crashed. I got a  kernel panics with 'fatal
> exception in interrupt'. So after rebooting, I figured can not safely
> change my firewall rules at the moment without rebooting the machine. 

..my isp client's experience is, if you can do it in 15 seconds, 
nobody complains.  ;-)

> I did a google search on 'fatal exception in interrupt' and I am
> alone. :(
> 
> Could the SMP stuff in the kernel cause fatal exception errors in the
> kernel with applications that are very network IO intensive ? 
> 
> 
> If you are not using a transparent bridge, here is definition:
> =====================================
> 
> Transparent bridges are becoming trendy because you can drop them on a
> network with out modifying the whole network topography. Most
> transparent bridges are uses as bandwidth shapers. But, transparent
> bridges can be used as firewalls and stealthy IDS systems. 
> 
> Similar to a router, a transparent bridge is a device that passes
> packets from one interface to another. Unlike a router, a transparent
> bridge does not need to have an IP address. Bridges works on layer 2
> level of the TCP/IP stack. Layer 2 is the physical (hardware address)
> layer. For example, one MAC passes all the info it gets to the other
> MAC. Switches are new marketing term to define multiport bridges
> according to Radia Perlman. Perlman is the author of the 'spanning
> tree alogrithim' and a book called"Interconnections: bridges, routers,
> switches, and Internetworking Protocols".
> 

..how much do you sell these for?  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Reply to:

Follow-Ups:
- Re: ebtables and smp machines
  - From: Theodore Knab <tjk@annapolislinux.org>

References:
- ebtables and smp machines
  - From: Theodore Knab <tjk@annapolislinux.org>

Prev by Date: Re: Kernel append="netdev=irq=21,io=0x3000,name=eth0"a not working
Next by Date: Is gray-listing a one-shot anti-spam measure?
Previous by thread: ebtables and smp machines
Next by thread: Re: ebtables and smp machines
Index(es):
- Date
- Thread