[nycbug-talk] iptables/pf benchmark

[George R.]

pete wright wrote:
> has anyone seen Decembers Usenix ;login?
> 
> there is an interesting article with a comparison between iptables
> (linux kernel 2.4/redhat 7.3) and pf (open 3.3).  I have not had a
> chance to really go through this thing carefully; but they find that
> iptables is, in general, quicker when acting as both a router and
> bridge.  to quote the conclusion:
> 
> "Linux is, in general, more efficient than OpenBSD. In both router and bridge
> configurations, it spends less time forwarding packets. Furthermore, iptables
> filters packets more quickly than PF, with only one exception (in our
> testing): if
> the transport-layer protocol of the transit packet, say, UDP, differs
> from the spec-
> ified transport-protocol type of a sequence of rules?"protocol type" set to
> "TCP"in this example?PF ignores those rules and confronts the packet only
> with the rest of the set, acting more efficiently than Linux, which
> confronts the
> packet with all the rules in the set."
> 
> 
> i could go into details, but then I would be taking subscriptions away
> from Usenix ;)  Anyway, has anyone spent some time reading through
> this article?

I read the article when login came out. . . I'm going to refresh my 
memory on this. . .

If I remember correctly, they were reviewing PF from an early stage of 
development. . . so I'd take the conclusions with a grain of salt.  PF 
was only released in OBSD 3.0, and I think they were using OBSD 3.3 in 
the comparison. . .

And I gotta say, I look forward to every issue of login. . . it's a 
brilliant technical magazine that is full of useful articles. . . (so go 
join usenix if you aren't a member <g>)

George