Subject: Re: ip_fil throughput rates?
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Darren Reed <>
List: tech-net
Date: 10/27/1999 11:09:44
In some email I received from Jonathan Stone, sie wrote:
> In message <>,
> Darren Reed writes:
> >In some email I received from Jonathan Stone, sie wrote:
> [...]
> >> Can a 500MHz Pentium-II keep up with, say, 100Mbit of actual TCP
> >> traffic if using lean, mean rulesets?
> >
> >Hmmm, maybe.  With a lot of tweaking, I have been able to get an Ultra5
> >(270MHz) to pass traffic through at about 93% speed of 100BaseT
> >(11200+kB/s or 17000+pps, using ttcp).  Even then, you want to be using
> >"fastroute" with "keep state" to achieve that. 
> thanks for the feedback, Darren.
> Is `keep state' still going to be a win if the mean connection length
> is only 8-10 TCP segments?  (Think of a webcrawler saturating the
> 100Mbit uplink).  I'm planning to prune the ruleset down to 5-10
> top-level rules, with a group for each interface with about 5 more
> rules.  If the connection lifetime is short, and the set of open
> connections is very large, is keep-state a win over simple port-
> and SYN-filtering?

Yes, as once state information is in the state table, it's a hash
lookup to find it again rather than going over X rules.  You did,
however, mention that you were using only a few rules, so if the
security is less important than performance, not using keep state
may be a win (after you consider costs of adding/deleting from
table, collisions, etc).  "fastroute" is something you want to use
as packets which match those rules are effectively output the other
side without checking the access lists again.