Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751371AbVIZL6S (ORCPT ); Mon, 26 Sep 2005 07:58:18 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751386AbVIZL6R (ORCPT ); Mon, 26 Sep 2005 07:58:17 -0400 Received: from mx03.cybersurf.com ([209.197.145.106]:35746 "EHLO mx03.cybersurf.com") by vger.kernel.org with ESMTP id S1751371AbVIZL6Q (ORCPT ); Mon, 26 Sep 2005 07:58:16 -0400 Subject: Re: [ANNOUNCE] Release of nf-HiPAC 0.9.0 From: jamal Reply-To: hadi@cyberus.ca To: Emmanuel Fleury Cc: Michael Bellion , linux-kernel@vger.kernel.org, linux-net@vger.kernel.org, netdev@vger.kernel.org In-Reply-To: <4337DA7C.2000804@cs.aau.dk> References: <200509260445.46740.mbellion@hipac.org> <4337DA7C.2000804@cs.aau.dk> Content-Type: text/plain Organization: unknown Date: Mon, 26 Sep 2005 07:58:01 -0400 Message-Id: <1127735881.6215.294.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1968 Lines: 52 On Mon, 2005-26-09 at 13:24 +0200, Emmanuel Fleury wrote: > Hi, > > Did you solved your "size" issues when entering long list of rules ??? > > I'm still not convinced by your approach. :-/ > > These experiments have to be updated but can you comment on this: > http://www.cs.aau.dk/~mixxel/cf/experiments.html To repeat the tests i mentioned earlier for clarity: a) Variable incoming packet rate (in packets per second) b) Variable packet sizes c) Variable number of users/filters d) Effect of adding/removing/modifying policies while under different incoming traffic rates. You seem to have taken care of most of the variables involved except for #d below. If you look at my slides you will see why #d is important to have in modern firewalls. I think if you have to first compile rules then you will have issues, but it remains to be seen. Several comments: - Am i mistaken that your source of data is from somewhere in the backbone? Would it be fair to say that something in the edge would be more appropriate? - Your header extraction tool creates "10 sets of rules"; is there a reason for the number 10? - Is tcpreplay the right tool? What does it give you that you cant use a better blaster like pktgen? - I think the blackbox monitor looking at the input vs output tool is good. It will be more complete if you can quantify the input rate then you can easily quantify output rate. - While your results were useful in showing Mbps; they are incomplete by not mentioning the packet size. A better metric would have been pps. But even then mentioning packet size is also useful. If you are going to run these tests in stateless firewalling as you did, please consider using tc filter as well. cheers, jamal - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/