From owner-freebsd-security  Tue Sep 22 09:33:10 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA04764
          for freebsd-security-outgoing; Tue, 22 Sep 1998 09:33:10 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04751
          for <freebsd-security@FreeBSD.ORG>; Tue, 22 Sep 1998 09:33:08 -0700 (PDT)
          (envelope-from nash@Mercury.mcs.net)
Received: from Mercury.mcs.net (nash@Mercury.mcs.net [192.160.127.80]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA10206; Tue, 22 Sep 1998 11:32:37 -0500 (CDT)
Received: (from nash@localhost) by Mercury.mcs.net (8.8.7/8.8.2) id LAA00511; Tue, 22 Sep 1998 11:32:37 -0500 (CDT)
Message-ID: <19980922113237.A28158@mcs.net>
Date: Tue, 22 Sep 1998 11:32:37 -0500
From: Alex Nash <nash@mcs.net>
To: Darren Reed <avalon@coombs.anu.edu.au>, Liam Slusser <liam@tiora.net>
Cc: tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG
Subject: Re: performance comparision of ipfilter and ipfw
Mail-Followup-To: Darren Reed <avalon@coombs.anu.edu.au>,
	Liam Slusser <liam@tiora.net>, tomaz.borstnar@over.net,
	freebsd-security@FreeBSD.ORG
References: <Pine.BSF.3.96.980922003608.7110B-100000@orbital.tiora.net> <199809221352.GAA05368@hub.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199809221352.GAA05368@hub.freebsd.org>; from Darren Reed on Tue, Sep 22, 1998 at 11:50:52PM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote:
> I missed the original email (presumably posted elsewhere) but I'll respond
> re. IP Filter.
> 
> In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed).
> With 400 rules, 400 packets took around 11 minutes to be processed 1000
> times which comes out at around 4us for 1 packet to be processed by 1 rule.
> That is *JUST* for packet filtering, no state stuff, no NAT, no logging.

I've measured ipfw's overhead on a 486-66, further details of which can
be found in the FreBSD FAQ.  Here's a brief summary:

Two scenarios with 1000 rules were tested.  The first presented a best
case with rules that were quickly determined not to match the packet
being processed.  The second used rules which traversed the entire
packet match routine before being rejected.  In both cases, the 1000th
rule was the accepting rule.

The findings showed a best case processing time of 1.2us per packet per
rule, and a worst case of 2.7us per packet per rule.

Alex

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message