tech-net: Re: Overhead of stateful packet filtering

Subject: Re: Overhead of stateful packet filtering
To: None <tech-net@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: tech-net
Date: 08/20/2005 20:21:03

In article <20050820121225.GI18952@nudo.bsws.de>,
	Henning Brauer <hb-netbsd-tech-net@bsws.de> writes:
> there is no overhead - it is faster than stateless filtering, since 
> state lookups are way faster than ruleset evaluations.

Cool. :-)

>> Stateful packet filtering means that it has to keep track of every
>> connection routed through it. I therefore wonder how much CPU time
>> and memory PF needs for that per connection.
> as said, it saves CPU power. for memory, well, the rule of thumb is 
> something like 1000 states per MB of RAM in the machine.

That's quite effecient. So it looks like my LX can handle stateful packet
filtering without problems.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/