Subject: Re: ip_fil throughput rates?
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Darren Reed <firstname.lastname@example.org>
Date: 10/27/1999 11:09:44
In some email I received from Jonathan Stone, sie wrote:
> In message <199910261900.FAA04940@avalon.reed.wattle.id.au>,
> Darren Reed writes:
> >In some email I received from Jonathan Stone, sie wrote:
> >> Can a 500MHz Pentium-II keep up with, say, 100Mbit of actual TCP
> >> traffic if using lean, mean rulesets?
> >Hmmm, maybe. With a lot of tweaking, I have been able to get an Ultra5
> >(270MHz) to pass traffic through at about 93% speed of 100BaseT
> >(11200+kB/s or 17000+pps, using ttcp). Even then, you want to be using
> >"fastroute" with "keep state" to achieve that.
> thanks for the feedback, Darren.
> Is `keep state' still going to be a win if the mean connection length
> is only 8-10 TCP segments? (Think of a webcrawler saturating the
> 100Mbit uplink). I'm planning to prune the ruleset down to 5-10
> top-level rules, with a group for each interface with about 5 more
> rules. If the connection lifetime is short, and the set of open
> connections is very large, is keep-state a win over simple port-
> and SYN-filtering?
Yes, as once state information is in the state table, it's a hash
lookup to find it again rather than going over X rules. You did,
however, mention that you were using only a few rules, so if the
security is less important than performance, not using keep state
may be a win (after you consider costs of adding/deleting from
table, collisions, etc). "fastroute" is something you want to use
as packets which match those rules are effectively output the other
side without checking the access lists again.