Subject: Re: IPFilter practical limits?
To: Peter Eisch <firstname.lastname@example.org>
From: Darren Reed <darrenr@NetBSD.org>
Date: 03/27/2006 20:32:02
On Mon, Mar 27, 2006 at 12:14:28PM -0600, Peter Eisch wrote:
> Short of reading source, is there a practical guide for how to tune ipfilter
> or how to use each of the configurable parameters?
> Also, for higher utilization systems (ones with lots of state entries) would
> pf be a better solution? Or, put another way, if I have an infinite amount
> of RAM and the kernel can have it, is there a practical point where using pf
> would be better?
No, there isn't. IPFilter uses hash tables for its storage/lookup and
if you had infinite amounts of RAM, you could always guarantee that a
lookup would hit or miss on first try (rather than work your way through
a tree like pf uses.) So if you like, you could tune ipfilter towards
using more RAM in a manner that suited quicker lookups. You can tell pf
it can make the tree bigger, but it will never get you an O(1) lookup
like you can do with a hash table.
I think the inverse might be true - if you could only have a small hash
table and you wanted to put lots of things in it, searching that could
be worse than a tree. But then I'd argue that you're dimensioning the