Date: Thu, 25 Jun 1998 14:19:13 +0300 (EEST) From: Heikki Suonsivu <hsu@clinet.fi> To: Julian Assange <proff@iq.org> Cc: sthaug@nethelp.no, chuck+ipfilter@snew.com, 7gprn@qlink.queensu.ca, ipfilter@postbox.anu.edu.au, freebsd-security@FreeBSD.ORG Subject: Re: Firewall requirements Message-ID: <13714.12849.443301.474422@katiska.clinet.fi> In-Reply-To: <wxu359holt.fsf@polysynaptic.iq.org> References: <19980624104152.63811@yerkes.com> <28166.898701790@verdi.nethelp.no> <wxu359holt.fsf@polysynaptic.iq.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Assange writes:
> measly p100. Ipfilter has a lot less over-head and memory movement
> than this, and provided the mtu is large and the ruleset isn't
> hundreds of entries long, should be able to keep up with 100mps
> traffic quite easily.
The problem is that the ruleset is usually long if we are talking about
multiport routers built on top of FreeBSD, because there are number of
rules for each port. On ciscos access lists are port-specific, which
reduces linear accesses quite a bit. It would be better to have O(log n)
algorithm for address matching, like radix tree a'la routing table.
P90 does not seem to keep up with 100 Mbps even when large packets are
transferred with 50 rules (cpu goes 100% before reaching 100 Mbps). I
haven't really tried faster routers.
I think this kind of performance tests should be done with smaller average
packet size to get better estimates, or compare pps values instead of bps
values like router manufacturers do.
> On an interesting side-note, I found routing packets through
> /dev/launder from a 10mps link actually improved tcp performance
> by 5%. Quite strange that.
>
> Cheers,
> Julian.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
--
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-9-43542270 fax -4555276
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13714.12849.443301.474422>