[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CARP and OUT rules
 Date:  Wed, 7 Sep 2011 18:26:03 -0400
On Wed, Sep 7, 2011 at 5:41 PM, Tonix (Antonio Nati)
<tonix at interazioni dot it> wrote:
> Practically speaking instead of several "pass in"
>   pass in on eth0 proto tcp from any to
>   pass in on eth1 proto tcp from any to
>   pass in on eth2 proto tcp from any to
>   pass in on eth3 proto tcp from any to
>   ...............................
>   pass in on ethN proto tcp from any to
> it would become simply
>   pass out on eth5 proto tcp from any to
> This "pass out" rules eliminatex all N rules needed for every incoming
> interface.
> So, I feel handling of a rules table 20 times smaller would help a lot rules
> checking performance.

That's correct - to an extent. I haven't specifically tested with
ipfilter and am not extremely familiar with its internals, but the
more rules you have, the more resources are required to evaluate the
ruleset. From my testing on other BSD packet filters, it's not really
relevant unless you're talking about a difference between 50000+ rules
and a few dozen, it takes an extremely large ruleset to have a
measurable difference. Even at that, the biggest impact to performance
is the maximum number of new connections per second achievable, the
time difference between opening a single connection with 1 rule and
100,000 rules is minuscule in the scheme of things in most all