benchmark........

benchmark........

[Francis M. J. Hsieh]

Well, here is a benchmark using MDBNCH, a benchmark program doing floating
point calculation on molecular dynamics (one of the research fields of out lab)

SGI Indy, R4600PC 133MHz, f77 4.0.2, -mips2 -O3 -sopt ......... 73.0 s  12Feb96
SGI Indy, R4600PC 133MHz, f77 4.0.2, -mips2 -O2 ............... 77.4 s  12Feb96
SGI Indy, R4600PC 133MHz, f77 4.0.2, -mips2 -O3 ............... 80.5 s  12Feb96
SGI Indy, R4600PC 100MHz, f77 4.0.1, -mips2 -O2 -sopt ......... 89.0 s  02Nov94
SGI Indy, R4600PC 100MHz, f77 4.0.1, -mips2 -O2 ............... 95.2 s  02Nov94
SGI Indy, R4600PC 100MHz, f77 4.0.1, -mips2 -O2 -non_shared .. 100.4 s  02Nov94
SGI Indy, R4600PC 100MHz, f77 4.0.1, -mips2 -O3 -non_shared .. 101.7 s  02Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 -sopt ........ 102.8 s  01Nov94
SGI Indy, R4000PC 100MHz, egcs-g77, -O2 -ff77 ................ 104.3 s  19Jul98
  (hardhat kernel 2.1.100)
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 -sopt -static  109.6 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 -ddopt ....... 110.2 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 .............. 110.6 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 -non_shared .. 114.4 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O3 -non_shared .. 128.9 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O2 -static ...... 145.5 s  01Nov94
SGI Indy, R4000PC 100MHz, f77 4.0.1, -mips2 -O1 .............. 154.3 s  01Nov94

for more information about MDBNCH see http://www.sissa.it/furio/mdbnch.html

--
Francis M. J. Hsieh      | Email:   mjhsieh@life.nthu.edu.tw
Life Science Department, | Webpage: http://www.life.nthu.edu.tw/~mjhsieh/
National Tsing Hua Univ, | Voice:   +886 3 5715131 ext 3482
HsinChu, Taiwan Republic | 	    +886 3 5715649

Re: benchmark........

[Francis M. J. Hsieh]

On Sun, Jul 19, 1998 at 06:35:08PM +0200, ralf@uni-koblenz.de wrote:
> On Sun, Jul 19, 1998 at 11:35:27PM +0800, Francis M. J. Hsieh wrote:
> 
> > Well, here is a benchmark using MDBNCH, a benchmark program doing floating
> > point calculation on molecular dynamics (one of the research fields of out lab)
> 
> This benchmark probably only really tests the compiler's optimization
> and the machine performance?  Anyway, the results would be somewhat
> more interesting if you'd have IRIX results at hand?

The line contain g77 is the result on linux, others are on irix.
I am sorry that I didn't point that out. :-)

-- 
Francis M. J. Hsieh      | Email:   mjhsieh@life.nthu.edu.tw
Life Science Department, | Webpage: http://www.life.nthu.edu.tw/~mjhsieh/
National Tsing Hua Univ, | Voice:   +886 3 5715131 ext 3482
HsinChu, Taiwan Republic | 	    +886 3 5715649

Re: benchmark........

[Francis M. J. Hsieh]

On Sun, Jul 19, 1998 at 06:54:52PM +0200, ralf@uni-koblenz.de wrote:
> > The line contain g77 is the result on linux, others are on irix.
> > I am sorry that I didn't point that out. :-)
> 
> Any SGI compiler results for comparison?  That stuff is Fortran and should
> probably show significant differences between both compilers.

hmmm, the comparison list result (maybe this is still not what you want
to see *sigh* )is at http://www.sissa.it/furio/Mdbnch/results.txt .
I don't known when he will update my submission :-)

It is just a small / little benchmark.........
-- 
Francis M. J. Hsieh      | Email:   mjhsieh@life.nthu.edu.tw
Life Science Department, | Webpage: http://www.life.nthu.edu.tw/~mjhsieh/
National Tsing Hua Univ, | Voice:   +886 3 5715131 ext 3482
HsinChu, Taiwan Republic | 	    +886 3 5715649

Benchmark

[Alejandro Flores]

	Hello there,

	Well, I've been teaching netfilter/iptables for a while, and always
there's someone asking about performance. Normally, they use other kind
of firewall, like cisco pix or checkpoint. Is there any benchmark out
there?
	Another point is, how much user-chains can degrade the performance?
IMHO, user chains are simple the best to help you organize and separate
rules in groups. But, how can I measure if it's degrading the
performance?

Thanks!
Alejandro

Ps. Sorry my poor english!

Re: Benchmark

[Michael Gale]

Hello,

	Well I am not expert but I think that user chains could improve performance. If you had in total 1000 rules and no user
chains, a packet may have to go through 999 rules to find a match or no match. If you broke up your 1000 rules into 25
different user chains a packet would at most have to be matched against 24 user chains and then only be checked against
required chains and not other rules.

Michael.


On Tue, 13 Jul 2004 18:04:43 -0300
Alejandro Flores <alejandro.flores@triforsec.com.br> wrote:

> 	Hello there,
> 
> 	Well, I've been teaching netfilter/iptables for a while, and always
> there's someone asking about performance. Normally, they use other kind
> of firewall, like cisco pix or checkpoint. Is there any benchmark out
> there?
> 	Another point is, how much user-chains can degrade the performance?
> IMHO, user chains are simple the best to help you organize and separate
> rules in groups. But, how can I measure if it's degrading the
> performance?
> 
> Thanks!
> Alejandro
> 
> Ps. Sorry my poor english!
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Benchmark

[Alejandro Flores]

	Hello Michael,

	Agreed. If well designed, it will improve performance. But, what is the
cost to send a packet to another chain? And if you have something like:
	iptables -A INPUT -i eth0 -p tcp -j C1
	iptables -A C1 -p tcp --dport 22 -j C1_SSH
	iptables -A C1_SSH -s 192.168.0.2/32 -j ACCEPT
	iptables -A C1_SSH -s 192.168.0.7/32 -j ACCEPT
	iptables -A C1_SSH -s 192.168.0.23/32 -j ACCEPT

	When the packet arrives, and it's from 192.168.0.7, it will be handled
by INPUT, then C1 and finally C1_SSH at the second rule. What I'm trying
to discover is, what is the cost to send the packet from one chain to
another. It's more easy to configure and maintain your rules with
user-chains, but how much it will cost in performance, if instead of the
above example, I use the following rules:

iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.2/32 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.7/32 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.23/32 -j ACCEPT


Regards!
Alejandro Flores

> Hello,
> 
> 	Well I am not expert but I think that user chains could improve performance. If you had in total 1000 rules and no user
> chains, a packet may have to go through 999 rules to find a match or no match. If you broke up your 1000 rules into 25
> different user chains a packet would at most have to be matched against 24 user chains and then only be checked against
> required chains and not other rules.
> 
> Michael.
> 
> 
> On Tue, 13 Jul 2004 18:04:43 -0300
> Alejandro Flores <alejandro.flores@triforsec.com.br> wrote:
> 
> > 	Hello there,
> > 
> > 	Well, I've been teaching netfilter/iptables for a while, and always
> > there's someone asking about performance. Normally, they use other kind
> > of firewall, like cisco pix or checkpoint. Is there any benchmark out
> > there?
> > 	Another point is, how much user-chains can degrade the performance?
> > IMHO, user chains are simple the best to help you organize and separate
> > rules in groups. But, how can I measure if it's degrading the
> > performance?
> > 
> > Thanks!
> > Alejandro
> > 
> > Ps. Sorry my poor english!
> > 
> > 
> > 
> > 
> > 
> 

Re: Benchmark

[Julian Gomez]

On Tue, Jul 13, 2004 at 06:32:52PM -0300, Alejandro Flores spoke thusly:

>Hello Michael,
>
>Agreed. If well designed, it will improve performance. But, what
>is the cost to send a packet to another chain? And if you have
>something like:

I don't have those numbers.

>When the packet arrives, and it's from 192.168.0.7, it will be handled
>by INPUT, then C1 and finally C1_SSH at the second rule. What I'm
>trying to discover is, what is the cost to send the packet from one
>chain to another. It's more easy to configure and maintain your rules
>with user-chains, but how much it will cost in performance, if instead
>of the above example, I use the following rules:

That's relative right? If you properly organise your user-chains taking
into account that more frequent traffic types are at the top - then
performance wise, you shouldn't be seeing that dramatic a hit.

On an old bastion host I used to control, I had 6,000++ rules running at
one time (_no optimisation_ at all). I didn't notice a performance hit,
except adding/deleting rules took a bit of time to fully finish; but
Harald has mentioned that problem before on the list - its due to the
way the rules are stored (circular link list?) IIRC.

For good security- your rulesets should be really small (where
possible!) otherwise it becomes a nightmare to maintain.

In regards to "rule sorting" google the firewall-wizards mailing list
archives, Paul Robertson has participated in a couple of interesting
threads on the subject.

(snip)

benchmark

[Lorenzo PARISI]

Hi,

I've a s3c2410 board and I want testing my NAND, but I don't 
know any benchmark that run under ARM architecture and i386 
architecture, so.

Do you know someone? I work with jffs2 and yaffs.

Thanks

benchmark

[michel m]

[-- Attachment #1: Type: text/plain, Size: 142 bytes --]

Hi,
I`d like to know if there is any paper or proof of concept that shows
selinux protects integrity and confidentiality of system.

Regards.

[-- Attachment #2: Type: text/html, Size: 155 bytes --]

Re: benchmark

[Casey Schaufler]

michel m wrote:
> Hi,
> I`d like to know if there is any paper or proof of concept that shows
> selinux protects integrity and confidentiality of system.

You might start with the Common Criteria evaluation reports.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.