From owner-freebsd-security  Wed Sep 23 03:41:13 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA27896
          for freebsd-security-outgoing; Wed, 23 Sep 1998 03:41:13 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA27849
          for <freebsd-security@FreeBSD.ORG>; Wed, 23 Sep 1998 03:40:43 -0700 (PDT)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199809231040.DAA27849@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA174397164; Wed, 23 Sep 1998 20:39:24 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: performance comparision of ipfilter and ipfw
To: nash@mcs.net (Alex Nash)
Date: Wed, 23 Sep 1998 20:39:24 +1000 (EST)
Cc: avalon@coombs.anu.edu.au, liam@tiora.net, tomaz.borstnar@over.net,
        freebsd-security@FreeBSD.ORG
In-Reply-To: <19980922113237.A28158@mcs.net> from "Alex Nash" at Sep 22, 98 11:32:37 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Alex Nash, sie said:
> 
> On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote:
> > I missed the original email (presumably posted elsewhere) but I'll respond
> > re. IP Filter.
> > 
> > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed).
> > With 400 rules, 400 packets took around 11 minutes to be processed 1000
> > times which comes out at around 4us for 1 packet to be processed by 1 rule.
> > That is *JUST* for packet filtering, no state stuff, no NAT, no logging.
> 
> I've measured ipfw's overhead on a 486-66, further details of which can
> be found in the FreBSD FAQ.  Here's a brief summary:
> 
> Two scenarios with 1000 rules were tested.  The first presented a best
> case with rules that were quickly determined not to match the packet
> being processed.  The second used rules which traversed the entire
> packet match routine before being rejected.  In both cases, the 1000th
> rule was the accepting rule.
> 
> The findings showed a best case processing time of 1.2us per packet per
> rule, and a worst case of 2.7us per packet per rule.

Hmm, I'll have to tune my code to make sure I can go faster ;)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message