[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: benefits of 'set state-policy if-bound'
Jon Hart wrote:
Whether or not these are true or complete is open to debate...if-bound will not be slower than floating, so I don't think it's overkill.
Because this particular deployment will have significantly more
interfaces, rules, hosts and traffic flows, suddenly using if-bound
seems like it might be overkill.
Really? My thinking was that because state would be kept on all
interfaces that the packet in question traverses, and each state entry
requires memory and system resources, that more resources would be
required. I'd be surprised if this meant 2x the memory.
Ok, yeah, that's correct, it will use more memory if you've more states.
I usually filter "statefully" only on external interfaces, so for my config
it doesn't make any difference, but it can for you if you filter everywhere.
Note that with if-state, you will have more states, but each states will
be stored on a tree attached to each interface. That mean that when PF
receive a packet, it will only search the subset of states for the given
interface (for if-bound state) so the search itself would be faster than
for the floating case, if there was no "cache effect"....