[ previous ] [ next ] [ threads ]
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Rules performance - it WAS Re: [m0n0wall] CARP and OUT rules
 Date:  Fri, 16 Sep 2011 09:49:36 +0200
Il 08/09/2011 00:26, Chris Buechler ha scritto:
> That's correct - to an extent. I haven't specifically tested with
> ipfilter and am not extremely familiar with its internals, but the
> more rules you have, the more resources are required to evaluate the
> ruleset. From my testing on other BSD packet filters, it's not really
> relevant unless you're talking about a difference between 50000+ rules
> and a few dozen, it takes an extremely large ruleset to have a
> measurable difference. Even at that, the biggest impact to performance
> is the maximum number of new connections per second achievable, the
> time difference between opening a single connection with 1 rule and
> 100,000 rules is minuscule in the scheme of things in most all
> scenarios.


can you give some numbers about these performances?
Word minuscole is ok, but whe managing a lot of traffic iw would be nice 
to know the real delay of each packet (half millisecond is far away from 
1/100 millisecond).

As example (for a given platform) how much time does is take to evaluate 
50 or 5000 or 50,000 or 500,000 rules?
And how much time is needed to evaluate an already accepted connection?



> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

         Inter@zioni            Interazioni di Antonio Nati
    http://www.interazioni.it      tonix at interazioni dot it