Re: [ANNOUNCE] nf-hipac v0.8 released

Roberto Nibali (ratz@drugphish.ch)
Sun, 29 Jun 2003 09:45:37 +0200


Hello,

>>Apart from that Roberto Nibali did some preliminary testing on nf-hipac.
>>You can find his posting to linux-kernel here:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=103358029605079&w=2
>>
>>Since there are currently no performance tests available for the
>>new release we want to encourage people interested in firewall
>>performance evaluation to include nf-hipac in their tests.
>
> Yes, I had missed this when I quickly looked at the web page using lynx.
> Thanks.
>
> One obvious thing that's missing in your performance and Roberto's figures
> is what *exactly* are the non-matching rules. Ie. do they only match IP
> address, a TCP port, or what? (TCP port matching is about a degree of
> complexity more expensive with iptables, I recall.)

When I did the tests I used a variant of following simple script [1].

There you can see that I only used a src port range. In an original
paper I wrote for my company (announced here [2]) I did create rules
that only matched IP addresses, the results were bad enough ;).

Meanwhile I should revise the paper as quite a few things have been
addressed since then: For example the performance issues with OpenBSD
packet filtering have mostly been squashed. I didn't continue on that
matter because I fell severely ill last autumn and first had to take
care of that.

[1] http://www.drugphish.ch/~ratz/genrules.sh
[2] http://www.ussg.iu.edu/hypermail/linux/kernel/0203.3/0847.html

HTH and Best regards,
Roberto Nibali, ratz

-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/