[ previous ] [ next ] [ threads ]
 
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Rules performance - it WAS Re: [m0n0wall] CARP and OUT rules
 Date:  Fri, 16 Sep 2011 09:49:36 +0200
Il 08/09/2011 00:26, Chris Buechler ha scritto:
> That's correct - to an extent. I haven't specifically tested with
> ipfilter and am not extremely familiar with its internals, but the
> more rules you have, the more resources are required to evaluate the
> ruleset. From my testing on other BSD packet filters, it's not really
> relevant unless you're talking about a difference between 50000+ rules
> and a few dozen, it takes an extremely large ruleset to have a
> measurable difference. Even at that, the biggest impact to performance
> is the maximum number of new connections per second achievable, the
> time difference between opening a single connection with 1 rule and
> 100,000 rules is minuscule in the scheme of things in most all
> scenarios.

Chris,

can you give some numbers about these performances?
Word minuscole is ok, but whe managing a lot of traffic iw would be nice 
to know the real delay of each packet (half millisecond is far away from 
1/100 millisecond).

As example (for a given platform) how much time does is take to evaluate 
50 or 5000 or 50,000 or 500,000 rules?
And how much time is needed to evaluate an already accepted connection?

Thanks,

Tonino


> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


-- 
------------------------------------------------------------
         Inter@zioni            Interazioni di Antonio Nati
    http://www.interazioni.it      tonix at interazioni dot it
------------------------------------------------------------