[nycbug-talk] iptables/pf benchmark

pete wright nomadlogic
Thu Jan 12 20:42:50 EST 2006


On 1/12/06, George R. <george at sddi.net> wrote:
> pete wright wrote:
> > has anyone seen Decembers Usenix ;login?
> >
> > there is an interesting article with a comparison between iptables
> > (linux kernel 2.4/redhat 7.3) and pf (open 3.3).  I have not had a
> > chance to really go through this thing carefully; but they find that
> > iptables is, in general, quicker when acting as both a router and
> > bridge.  to quote the conclusion:
> >
> > "Linux is, in general, more efficient than OpenBSD. In both router and bridge
> > configurations, it spends less time forwarding packets. Furthermore, iptables
> > filters packets more quickly than PF, with only one exception (in our
> > testing): if
> > the transport-layer protocol of the transit packet, say, UDP, differs
> > from the spec-
> > ified transport-protocol type of a sequence of rules?"protocol type" set to
> > "TCP"in this example?PF ignores those rules and confronts the packet only
> > with the rest of the set, acting more efficiently than Linux, which
> > confronts the
> > packet with all the rules in the set."
> >
> >
> > i could go into details, but then I would be taking subscriptions away
> > from Usenix ;)  Anyway, has anyone spent some time reading through
> > this article?
>
> I read the article when login came out. . . I'm going to refresh my
> memory on this. . .
>
> If I remember correctly, they were reviewing PF from an early stage of
> development. . . so I'd take the conclusions with a grain of salt.  PF
> was only released in OBSD 3.0, and I think they were using OBSD 3.3 in
> the comparison. . .
>

yea the systems where Open 3.3 v. RedHat 7.3.  So, I recon at that
point pf may have been a bit fresh, and frankly the 2.4 kernels where
pretty good (compared to the state of things now in linux land IMO). 
Maybe it's time to see if we can run an updated version of this
test....i'll do it when i have "free" time, sure ;p

-p


> And I gotta say, I look forward to every issue of login. . . it's a
> brilliant technical magazine that is full of useful articles. . . (so go
> join usenix if you aren't a member <g>)
>
> George
>


--
~~o0OO0o~~
Pete Wright
www.nycbug.org
NYC's *BSD User Group



More information about the talk mailing list