[nycbug-talk] iptables/pf benchmark
pete wright
nomadlogic
Thu Jan 12 19:47:32 EST 2006
has anyone seen Decembers Usenix ;login?
there is an interesting article with a comparison between iptables
(linux kernel 2.4/redhat 7.3) and pf (open 3.3). I have not had a
chance to really go through this thing carefully; but they find that
iptables is, in general, quicker when acting as both a router and
bridge. to quote the conclusion:
"Linux is, in general, more efficient than OpenBSD. In both router and bridge
configurations, it spends less time forwarding packets. Furthermore, iptables
filters packets more quickly than PF, with only one exception (in our
testing): if
the transport-layer protocol of the transit packet, say, UDP, differs
from the spec-
ified transport-protocol type of a sequence of rules?"protocol type" set to
"TCP"in this example?PF ignores those rules and confronts the packet only
with the rest of the set, acting more efficiently than Linux, which
confronts the
packet with all the rules in the set."
i could go into details, but then I would be taking subscriptions away
from Usenix ;) Anyway, has anyone spent some time reading through
this article?
-pete
--
~~o0OO0o~~
Pete Wright
www.nycbug.org
NYC's *BSD User Group
More information about the talk
mailing list