From owner-freebsd-current  Sat Jan  8  8: 3:22 2000
Delivered-To: freebsd-current@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id 7DE9415ACC
	for <freebsd-current@FreeBSD.ORG>; Sat,  8 Jan 2000 08:03:09 -0800 (PST)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id RAA10786;
	Sat, 8 Jan 2000 17:03:29 +0100 (CET)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200001081603.RAA10786@info.iet.unipi.it>
Subject: ipf vs. ipfw
In-Reply-To: <4.2.2.20000109021927.00dba250@mail.southcom.com.au> from james
 at "Jan 9, 2000 02:26:30 am"
To: james <death@southcom.com.au>
Date: Sat, 8 Jan 2000 17:03:29 +0100 (CET)
Cc: freebsd-current@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> Why is ipf so slow? I was planning on switching from ipfw/natd to 
> ipf/ipnat, but i don't think i want to now - considering it's so darn slow.

ok, i have heard for a long time people claiming how much better is ipf over
ipfw etc. etc. I have briefly looked at docs and source for ipf.

I think the basic rulechecking algorithms in ipf are no better/faster
than the ones in ipfw. If you want to switch from ipfw (no natd!)
to ipf just for performance reasons, i think you are not going to get
any significant advantage if any (i mean, if you write your ipfw rules
in an intelligent way.).

For sure the pair ipf/ipnat should be faster than ipfw/natd, but
just because natd is a user-space thing and this means additional
data movements between kernel and user space that ipf needs not.

Other reasons for the switch could be the fact that ipf is stateful
(but i am working on adding state to ipfw, if i find proper support
- hint, hint), so you can build better things.

In other words, if you want to switch, be motivated by features, not
by performance!

	cheers
	luigi

-----------------------------------+-------------------------------------
  Luigi RIZZO, luigi@iet.unipi.it  . Dip. di Ing. dell'Informazione
  http://www.iet.unipi.it/~luigi/  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)
  Mobile   +39-347-0373137
-----------------------------------+-------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message