There is not much to tweak, performance-wise. OpenBSD avoids such buttons like the plague, and besides: benchmarks should be run with a stock install, which is what 99% of users are going to be doing as well.
You can try looking at the output of 'pfctl -si' and see if any of those is increasing a lot, it may give you some more hints. The only thing that jumps to mind is the states limit; if it's getting hit you'll see the memory counter increase. I can't make any suggestion for a good value for 'set limit states' though because you included zero information about the hardware you're testing on. On Tue, Aug 16, 2011 at 02:12:01PM -0400, Quentin Aebischer wrote: > Hello everyone, > > I'm currently a master degree student, and I'd like to benchmark > packet filter over the number of tcp sessions per seconds it can > handle. > > So I've got a very basic setup working, consisting of one server > running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's > running Linux, acting respectively as client and webserver (running > apache2 for the last). > > Basically, the client spams standard HTTP requests to the server via > the firewall using a basic HTTP injector tool and evaluates the > number of sucessful processed requests per seconds. > > As one can expect, there is an inverse relationship between the > number of sessions/s a firewall can sustain and the size of the > object of the request. To achieve maximum throughput, you've got to > request big size objects (i.e 50KB or more), whereas to achieve > maximum sessions rate per second, you've got to make requests with 0 > size objects. > > Prior to this, I've run some tests with a Linux firewall running > iptables, and I've come up with an average rate of 11300 sessions/s > for 0 size objects (straight up results, no tweaks or improvements > made). > > Moving on to the OpenBSD tests, I only achieved an average rate of > 7000 sessions/s for 0 size object (starting up at 8000, slowly > decreasing to 7000 - 6500 ...), which is way above the > linux/iptables average rate . I then tried to make some tweaks in > /etc/sysctl.conf, but no improvement so far. The ruleset I use is > the following (copied from the OpenBSD pf tutorial) : > > set block-policy drop > pass out quick > pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP > pass in inet proto icmp all > pass in on $LAN. > > > So I come here now to know whether you guys have any idea what sort > of tweaks I could try to significantly enhance the number of tcp > sessions per seconds processed by PF. I'm kind of a PF newbie, so > I'm clueless for the moment . Any hints, thoughts or ideas is > appreciated ! > --