Re: [leaf-user] Firewall performance graph

2005-07-13 Thread Erich Titl 
Jaime

Thanks for the info

Jaime Nebrera wrote:
...
   D) FreeBSD (actually dont know what BDS m0n0wall uses) is much more
 linear and predictable on its behavior, standing for higher loads.

Did you test Linux in router configuration?

cheers

Erich


---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Firewall performance graph

2005-07-11 Thread Jaime Nebrera 
  Hi all,

  For all people just testing firewall performance.

  We are in the process of publishing some graphs regarding firewall
performance (mainly in low end hardware). We have compared mainly Linux
(2.4.30 and 2.6.11) and FreeBSD (m0n0wall) on a Geode 266, Via 533 and
Via 1Ghz all with Realtek 8139 ethernets.

  You can see the first results in:

http://www.eneotecnologia.com/archivos/Firewall_512.png

  Some comments on the experiment:

  1) We tested this with a much better box (P4 3Ghz, PCIE, Marvel
chipset), but currently we dont have access to it. It supported more
than 10.000 consecutive rules for 1.200 pps But we had to give this
hardware to our client and cant test any more.

  2) We have to make the same tests with 1500 bytes and 64 bytes
packages

  3) Traffic was generated from a few PC (sorry, we couldnt create more
traffic at the moment) using hping2. Traffic was UDP to port 80.

  4) The rules means, # number of non matching rules before the matching
rule.

  Some comments on results:

  A) We are unable to determinate if we are using NAPI or not on this
boxes. We tested 2.4.23 too with the same results. After some reading,
we discovered the driver needs to support NAPI too, but after finding
what seems a valid one (ftp://ftp.ovh.net/made-in-ovh/kernel/) we dont
get better results (neither for 2.4.30 and 2.6.11) We need some help to
see if really we are using NAPI on this boxes.

  B) Linux 2.6.11 and 2.4.30 show more or less the same behavior (?)

  C) All linux seem to hit a wall around 800 rules. This is a known
limit in current iptables / netfilter design. (See Hi-PAC and others)
With the better box this wall was much further away) Also, this limit
is quite similar with different CPUs (Geode 266, Via 533, Via 1Ghz) and
is shared on all boxes that use Realtek chipsets (we about to test it
with a P4 2.1Ghz Realtek) Maybe a problem of the driver? Maybe the lack
of NAPI even when supposed to be used?

  D) FreeBSD (actually dont know what BDS m0n0wall uses) is much more
linear and predictable on its behavior, standing for higher loads.

  What do you think? Any comments? Any help?

  Hope it helps. Regards.

-- 
Jaime Nebrera - [EMAIL PROTECTED]
Consultor TI - ENEO Tecnologia SL
Telf.- 95 455 40 62 - 619 04 55 18



---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/