On 2011-08-16, Quentin Aebischer <quentin.aebisc...@usherbrooke.ca> wrote: > Hello everyone, > > I'm currently a master degree student, and I'd like to benchmark > packet filter over the number of tcp sessions per seconds it can handle. > > So I've got a very basic setup working, consisting of one server > running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's > running Linux, acting respectively as client and webserver (running > apache2 for the last). > > Basically, the client spams standard HTTP requests to the server via > the firewall using a basic HTTP injector tool and evaluates the number > of sucessful processed requests per seconds. > > As one can expect, there is an inverse relationship between the number > of sessions/s a firewall can sustain and the size of the object of the > request. To achieve maximum throughput, you've got to request big size > objects (i.e 50KB or more), whereas to achieve maximum sessions rate > per second, you've got to make requests with 0 size objects. > > Prior to this, I've run some tests with a Linux firewall running > iptables, and I've come up with an average rate of 11300 sessions/s > for 0 size objects (straight up results, no tweaks or improvements > made). > > Moving on to the OpenBSD tests, I only achieved an average rate of > 7000 sessions/s for 0 size object (starting up at 8000, slowly > decreasing to 7000 - 6500 ...), which is way above the linux/iptables > average rate . I then tried to make some tweaks in /etc/sysctl.conf, > but no improvement so far. The ruleset I use is the following (copied > from the OpenBSD pf tutorial) : > > set block-policy drop > pass out quick > pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP > pass in inet proto icmp all > pass in on $LAN. > > > So I come here now to know whether you guys have any idea what sort of > tweaks I could try to significantly enhance the number of tcp sessions > per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless > for the moment . Any hints, thoughts or ideas is appreciated ! > >
Make sure your state limits are high enough (set limits states XX; default is 10000). Also check sysctl net.inet.ip.ifq; if there are drops then you may want to gradually increase net.inet.ip.ifq.maxlen Note that the ruleset you have shown does not block anything (default if there is *no* matching rule at all is to statelessly pass a packet).