Date: Tue, 22 Sep 1998 11:32:37 -0500 From: Alex Nash <nash@mcs.net> To: Darren Reed <avalon@coombs.anu.edu.au>, Liam Slusser <liam@tiora.net> Cc: tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw Message-ID: <19980922113237.A28158@mcs.net> In-Reply-To: <199809221352.GAA05368@hub.freebsd.org>; from Darren Reed on Tue, Sep 22, 1998 at 11:50:52PM %2B1000 References: <Pine.BSF.3.96.980922003608.7110B-100000@orbital.tiora.net> <199809221352.GAA05368@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote: > I missed the original email (presumably posted elsewhere) but I'll respond > re. IP Filter. > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > times which comes out at around 4us for 1 packet to be processed by 1 rule. > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. I've measured ipfw's overhead on a 486-66, further details of which can be found in the FreBSD FAQ. Here's a brief summary: Two scenarios with 1000 rules were tested. The first presented a best case with rules that were quickly determined not to match the packet being processed. The second used rules which traversed the entire packet match routine before being rejected. In both cases, the 1000th rule was the accepting rule. The findings showed a best case processing time of 1.2us per packet per rule, and a worst case of 2.7us per packet per rule. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980922113237.A28158>