[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf skip step optimization

On Tue, Jul 23, 2002 at 09:11:45PM -0600, Theo de Raadt wrote:
> Considering the one of our
> people took a large ipf machine from 90% cpu utilization with hundreds
> and hundreds of rules to a pf machine with 10% cpu utilization under
> an even larger configuration.... these beliefs of yours perhaps need
> to be evaluated anew?

yes, that's me. In the meantime, the ruleset grew further (1200 or so rules
now), more traffic passes, and I still don't see more than 10% cpu
utilization, on a duron 700. You might want to have a look at
http://retimo.bsws.de/img/pfstats/2002-07.png, where some pf stats are
graphed. You see peaks of nearly 30000 states and 15000 state searches per
second. needless to say that this machine runs flawlessly without a single
error since day #1 of its existance, and the redundancy machine idles for
the same time.

next good news is that I can rewrite the rule file, which is about 1200 lines,
in about 300 lines with -current, where more than 200 lines are variable
setting and less then 100 are actually rule definitions.



Henning Brauer, Hostmaster, BS Web Services, http://bsws.de
hb_(_at_)_bsws_(_dot_)_de | henning_(_at_)_openbsd_(_dot_)_org