1 Reply Latest reply on May 11, 2016 4:38 PM by Steve H -Oracle

    size of /etc/ipf/ipf.conf vs multicast performance


      We’ve been having severe performance problems in applications that send multicast UDP after 16K of IP rules were added on our boxes.

      Profiling shows that most time is spent in sendto system call (each taking several ms to finish), while sending multicast UDPs, the amount of which is very moderate.

      Is there a number, which would be considered a reasonable limit for how many rules should be in /etc/ipf/ipf.conf?




      OS details: uname -a

      SunOS <boxname> 5.10 Generic_150401-30 i86pc i386 i86pc Solaris


      Our /etc/ipf/ipf.conf contains 16K records, each looking like this:

         block out quick proto tcp/udp from any to <Multicast address>/32



        • 1. Re: size of /etc/ipf/ipf.conf vs multicast performance
          Steve H -Oracle

          There have been bugs fixed in past for large number of rules causing performance issues, but these where fixed in patches.


            6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads

            6859313 large number of rules in ipfilter decreases throughput performance


          The latest IPFilter patch is:

            Patch-ID# 148379-14

            Keywords: ippool ipf

            Synopsis: SunOS 5.10: ippool patch


          This patch requires  Kernel Patch 144500-19 (or greater)

          (having the latest Kernel update and corresponding ipfilter patch is always a good idea.).


          Also,  ippool(1M) IPF tool can be used to help reduce the amount of rules, thus make IPF a better performer.

          Thousands of rules is unusual .


          The idea behind using IP pool is to group IP addresses into groups (pools). Those pools can be referred by rules then.

          see: http://docs.oracle.com/cd/E19253-01/816-4554/faafi/index.html

          note: removing "log" in rules will also help with performance.