From: Roberto Nibali <ratz@drugphish.ch>
To: Pekka Savola <pekkas@netcore.fi>
Cc: Michael Bellion and Thomas Heinz <nf@hipac.org>,
linux-kernel@vger.kernel.org, netdev@oss.sgi.com
Subject: Re: [ANNOUNCE] nf-hipac v0.8 released
Date: Sun, 29 Jun 2003 09:45:37 +0200 [thread overview]
Message-ID: <3EFE9921.5010902@drugphish.ch> (raw)
In-Reply-To: <Pine.LNX.4.44.0306290924310.28882-100000@netcore.fi>
Hello,
>>Apart from that Roberto Nibali did some preliminary testing on nf-hipac.
>>You can find his posting to linux-kernel here:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=103358029605079&w=2
>>
>>Since there are currently no performance tests available for the
>>new release we want to encourage people interested in firewall
>>performance evaluation to include nf-hipac in their tests.
>
> Yes, I had missed this when I quickly looked at the web page using lynx.
> Thanks.
>
> One obvious thing that's missing in your performance and Roberto's figures
> is what *exactly* are the non-matching rules. Ie. do they only match IP
> address, a TCP port, or what? (TCP port matching is about a degree of
> complexity more expensive with iptables, I recall.)
When I did the tests I used a variant of following simple script [1].
There you can see that I only used a src port range. In an original
paper I wrote for my company (announced here [2]) I did create rules
that only matched IP addresses, the results were bad enough ;).
Meanwhile I should revise the paper as quite a few things have been
addressed since then: For example the performance issues with OpenBSD
packet filtering have mostly been squashed. I didn't continue on that
matter because I fell severely ill last autumn and first had to take
care of that.
[1] http://www.drugphish.ch/~ratz/genrules.sh
[2] http://www.ussg.iu.edu/hypermail/linux/kernel/0203.3/0847.html
HTH and Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
next prev parent reply other threads:[~2003-06-29 7:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-25 20:48 [ANNOUNCE] nf-hipac v0.8 released Michael Bellion and Thomas Heinz
2003-06-25 21:03 ` Folkert van Heusden
2003-06-25 23:52 ` Thomas Heinz
2003-06-26 13:38 ` Daniel Egger
2003-06-26 14:20 ` Michael Bellion and Thomas Heinz
2003-06-26 14:45 ` Daniel Egger
2003-06-27 6:06 ` Pekka Savola
2003-06-28 20:04 ` Michael Bellion and Thomas Heinz
2003-06-29 6:26 ` Pekka Savola
2003-06-29 7:45 ` Roberto Nibali [this message]
2003-06-29 16:26 ` Michael Bellion and Thomas Heinz
2003-07-02 5:30 ` Pekka Savola
2003-07-02 12:26 ` Michael Bellion and Thomas Heinz
2003-07-02 13:08 ` P
2003-07-02 13:48 ` Michael Bellion and Thomas Heinz
2003-07-02 14:23 ` P
2003-07-02 16:57 ` Michael Bellion and Thomas Heinz
-- strict thread matches above, loose matches on Subject: below --
2003-06-25 20:12 Michael Bellion and Thomas Heinz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3EFE9921.5010902@drugphish.ch \
--to=ratz@drugphish.ch \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@oss.sgi.com \
--cc=nf@hipac.org \
--cc=pekkas@netcore.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.