[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: performance: single ip in table Vs single ip



On Fri, 2005-04-22 at 10:21 -0400, Mike Frantzen wrote:
> > Simple question which rule is evaluated faster.
> > table <ip0-2> const {192.168.0.2}
> > pass in quick on $int_if from <ip0-2> to any
> > pass in quick on $int_if from 192.168.0.2 to any
> 
> Daniel did some tests several years ago and the break even point was
> about six IPs in a table versus six individual rules.  So your table
> rule will be 6x as slow.  Unless you're running 10yr old hardware, your
> firewall is probably so overpowered that it doesn't matter.
That's the conclusion I have come to.  I have entries for around 7500
IPs on our firewall and have tables for each proto/port pair.
Data is stored in a database and the pf conf generated by a perl script.
Even though it would be easy (half an hours work including testing) to
modify the script to emit individual rules for pairs with low number of
addresses I have decided to keep it simple and have everything in
tables.  Since the firewall box idles at about 2% cpu the extra overhead
is not an issue.
Russell
-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

Attachment: smime.p7s
Description: S/MIME cryptographic signature