At 17:03 8/1/2000 +0100, Luigi Rizzo wrote:
>I think the basic rulechecking algorithms in ipf are no better/faster
>than the ones in ipfw. If you want to switch from ipfw (no natd!)
>to ipf just for performance reasons, i think you are not going to get
>any significant advantage if any (i mean, if you write your ipfw rules
>in an intelligent way.).
So far it's been a disadvantage. :( Even without any rules, ipf introduces
about 50-100 microseconds latency, whereas ipfw only introduces about 25.
>For sure the pair ipf/ipnat should be faster than ipfw/natd, but
>just because natd is a user-space thing and this means additional
>data movements between kernel and user space that ipf needs not.
The only thing i use nat for is over a 56k modem. ;) So speed really isn't
an issue there, but is over my LAN.
>Other reasons for the switch could be the fact that ipf is stateful
>(but i am working on adding state to ipfw, if i find proper support
>- hint, hint), so you can build better things.
>
>In other words, if you want to switch, be motivated by features, not
>by performance!
Quite, ipf has some great features. :)
Speaking of ipf, is there any reason why i shouldn't upgrade from the 3.3.3
that comes with 4.0-CURRENT, to 3.3.6? I upgraded already and haven't seen
any problems - although my machine rebooted at one stage right after i
typed a rule into ipnat. I couldn't reproduce it, and never found out why
it rebooted. 3.3.6's speed is still as lousy as 3.3.3 too. :(
Cheers
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
