In message <199910261900.FAA04940@avalon.reed.wattle.id.au>,
Darren Reed writes:

>In some email I received from Jonathan Stone, sie wrote:
[...]
>> Can a 500MHz Pentium-II keep up with, say, 100Mbit of actual TCP
>> traffic if using lean, mean rulesets?
>
>Hmmm, maybe.  With a lot of tweaking, I have been able to get an Ultra5
>(270MHz) to pass traffic through at about 93% speed of 100BaseT
>(11200+kB/s or 17000+pps, using ttcp).  Even then, you want to be using
>"fastroute" with "keep state" to achieve that. 

thanks for the feedback, Darren.

Is `keep state' still going to be a win if the mean connection length
is only 8-10 TCP segments?  (Think of a webcrawler saturating the
100Mbit uplink).  I'm planning to prune the ruleset down to 5-10
top-level rules, with a group for each interface with about 5 more
rules.  If the connection lifetime is short, and the set of open
connections is very large, is keep-state a win over simple port-
and SYN-filtering?

(The manpage is less than clear about what keep-state actually
*does*:> Should I UTSL?)


>Slower CPU, better
>architecture.  Hard to say what it would be like on a 500MHz P-II,
>except that the box above can only receive ~7000 of those 17000 packets,
>each second.
>
>To get a fair idea of what impact ipfilter makes on performance, it'd
>be useful to know some sort of benchmark figures of a `naked' system.

Point taken. I thought `500MHz P-II running NetBSD-current' would be a
fairly well-defined datapoint.