OpenBSD Journal

Design and Performance of PF

Contributed by jose on from the performance-analysis dept.

gwyllion writes :
"Daniel Hartmeier did a presentation about PF at Usenix 2002 : Design and Performance of the OpenBSD Stateful Packet Filter ( html , PDF , slides ).

In summary, iptables perform the best for stateless rules and pf performs the best when using stateful filtering. "
I saw a preview copy of this paper, but I had to miss Usenix Tech this year. Well worth the reading.

(Comments are closed)


Comments
  1. By Not Really Anonymous () on

    Tell me one person who doesn't get turned on by this.

    I can't wait for the load-balancing and authentication papers.

    ...

  2. By Christopher Hylarides () hylaride@sheridanc.on.ca on mailto:hylaride@sheridanc.on.ca

    Its interesting that they used the OpenBSD 3.0 pf. I've heard that the 3.1 has significant performance improvements? How would it stack up now??

  3. By Anonymous Coward () on

    http://web.mit.edu/nathanw/www/usenix/freenix-sa/freenix-sa.html

    talks about hybrid kernel/userland threading system being developped for NetBSD.
    The intro of the paper was (for non-coder me) really helpful in understanding more what threading is all about.

    Does anyone knows what's the status with UBC ? I saw art's synching it with -current recently, but that's about it. Is it planned for 3.2 ?

  4. By Anonymous Coward () on

    What's that? It seems very nice, but first I need to know what it is...

  5. By Anonymous Coward () on

    This paper looks good, on the surface, but as you dig deeper for details and explanations, you come out with empty hands. We don't know how the systems have been compiled, what the rules used were or if there were any optimisations done, never mind what versions of the software were used. An obvious question to be asked is why wasn't iptables configured to use input & output filtering rather than just forwarding? This would have made sense and been a better match with comparing it against ipf/pf.

    As you read the paper, you see questions raised about performance but no answers proffered about performance - except for the obvious reference to the O(log n) graph. This suggests that either the paper was rushed or the author wasn't very thorough in their investigations and analysis. Why does the graph which starts out at O(log n) eventually descend at O(n), for example ?

    Perhaps the most interesting outcome of this paper is it supports the idea of using trees for state (over hashing) but of what benefit is the "skip steps"?

    I wonder how FreeBSD feels about being left out. ipfw has a mix of capabilities and is faster than ipf, but is it faster than pf?

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]