Date: Wed, 23 Sep 1998 20:39:24 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: nash@mcs.net (Alex Nash) Cc: avalon@coombs.anu.edu.au, liam@tiora.net, tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw Message-ID: <199809231040.DAA27849@hub.freebsd.org> In-Reply-To: <19980922113237.A28158@mcs.net> from "Alex Nash" at Sep 22, 98 11:32:37 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Alex Nash, sie said: > > On Tue, Sep 22, 1998 at 11:50:52PM +1000, Darren Reed wrote: > > I missed the original email (presumably posted elsewhere) but I'll respond > > re. IP Filter. > > > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > > times which comes out at around 4us for 1 packet to be processed by 1 rule. > > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. > > I've measured ipfw's overhead on a 486-66, further details of which can > be found in the FreBSD FAQ. Here's a brief summary: > > Two scenarios with 1000 rules were tested. The first presented a best > case with rules that were quickly determined not to match the packet > being processed. The second used rules which traversed the entire > packet match routine before being rejected. In both cases, the 1000th > rule was the accepting rule. > > The findings showed a best case processing time of 1.2us per packet per > rule, and a worst case of 2.7us per packet per rule. Hmm, I'll have to tune my code to make sure I can go faster ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809231040.DAA27849>