Time to let go of ipfilter

Atte Peltomäki atte.peltomaki at iki.fi
Tue Feb 22 00:48:49 PST 2011

On Tue, Feb 22, 2011 at 02:20:59AM -0600, Chris Turner wrote:
> On 02/21/11 07:57, Atte Peltomäki wrote:
> > PF is simply too slow. It does have good functionality and it's easy to
> > use, but it doesn't scale beyond small/medium networks. I stress-tested
> > it some time ago and OpenBSD/pf could get a combined throughput of
> > around 1.6Gbps. FreeBSD/pf got a little better, but not so that it would
> > really mean much.
> What was the max {memory,pci,processor} bandwitdth on the machine under 
> test?

IIRC some 72GB RAM, 2x 8-core cpus and loaded with 8 SSD disks in
RAID10. A box with much less power was ultimately used for that project,
since pf only effectively utilizes one cpu core.
> Have you stress tested NPF?

No; I only first heard of it yesterday. I don't actually even have a box
right now that would be useful for testing NPF's MP capabilities, but
I'm sure I can find one again if and when I need to. 

Atte Peltomäki
     atte.peltomaki at iki.fi <> http://kameli.org
"Your effort to remain what you are is what limits you"

More information about the Kernel mailing list