OpenBSD: PF queues break the 4 Gbps barrier
OpenBSD's PF packet filter previously capped bandwidth configurations at 4 Gbps due to a 32-bit integer limitation, causing silent errors with modern high-speed interfaces. A new patch upgrades these internal values to 64-bit, enabling support for up to 999 Gbps, a significant step in performance for the security-focused OS. This fix sparked discussion on OpenBSD's role in high-throughput environments, its performance tradeoffs, and the perennial optimism (or naivete) of
The Lowdown
OpenBSD's Packet Filter (PF), a cornerstone of its networking stack, has long provided traffic shaping capabilities using HFSC queues. However, a silent, critical flaw existed: an internal 32-bit limitation within the hfsc_sc structure capped bandwidth configuration values at approximately 4.29 Gbps. This meant that attempts to configure queues for 10G, 25G, or 100G interfaces would result in silent wraps, leading to incorrect and unpredictable scheduling behavior. The problem became increasingly pertinent as OpenBSD developers made strides in SMP kernel support and added drivers for high-speed network cards. A recent patch addresses this bottleneck by:<ul><li>Widening the bandwidth fields within the kernel's HFSC scheduler from 32-bit to 64-bit integers.</li><li>Allowing bandwidth values up to 999 Gbps (or ~1 Tbps internally) to be configured correctly.</li><li>Fixing a display bug in pftop(1) that previously misrepresented bandwidths above 4 Gbps.</li><li>Ensuring that existing configurations below 4 Gbps continue to function without requiring changes.</ul>This enhancement future-proofs OpenBSD's traffic shaping for current and upcoming multi-gigabit network interfaces, bringing the pf.conf syntax in line with expected behavior for high-speed networking.
The Gossip
OpenBSD's Bottleneck Breakdown
Commenters debated whether OpenBSD's PF firewall, even with the bandwidth limitation fixed, can genuinely handle high throughput. Concerns were raised about OpenBSD's traditional focus on security over performance, its current single-threaded nature (compared to FreeBSD's multithreaded PF), and a perceived lack of robust driver support for high-speed (10G+) datacenter interfaces. Some clarified that the fix specifically addresses *bandwidth limitation values* rather than raw packet filtering speed, distinguishing between configuration and actual performance capabilities.
Predictive Power & Gigantic Gaffes
The article's assertion that 999G is 'more than enough for interfaces today and the future' was met with considerable skepticism. Commenters drew parallels to famous historical mispredictions in computing (e.g., Bill Gates's 640K RAM comment) and highlighted current advancements in networking, pointing out that 800G NICs already exist and IEEE 802.3dj is working on 1.6T Ethernet, suggesting that arbitrary limits will inevitably be reached again sooner than anticipated.
The Silent Sentinel's Slip-up
The revelation that OpenBSD's PF silently 'wrapped around' and produced incorrect behavior when bandwidth values exceeded 4 Gbps caused concern among the community. This 'silent failure' mode was seen as a surprising deviation from OpenBSD's strong reputation for explicit error handling and security, leading some users to express apprehension about potential similar hidden issues within the system's code.