DragonFly BSD
DragonFly kernel List (threaded) for 2011-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Time to let go of ipfilter

From: Vlad Galu <dudu@xxxxxxx>
Date: Fri, 21 Jan 2011 13:43:33 +0100

On Fri, Jan 21, 2011 at 1:23 PM, joris dedieu <joris. dedieu@gmail.com> wrote:
2011/1/21 Sepherosa Ziehau <sepherosa@gmail.com>:
> Hi all,
Hi sephe
> ipfilter is not maintained in dragonfly at all, I plan to remove it.

Just a word about it. Currently we (a french hoster http://www.nfrance.com) use
DragonFly (2.6 has 2.8 broke ipsec) as primary OS for our routers (20 machines)
with quagga and ipf. And its work really well (better than FreeBSD we were
previously using).

Our requirement for routing machines is to be able to gracefuly handle
200-300mb/s traffic load with filtering (stateless) and bgp/ospf routing
(full table). Crash test is at 400mb/s in lab.

We choose ipf for historical reasons (previously used on FreeBSD). But
we experienced on FreeBSD that it's really faster than pf.

Do you think there is currently an other software (maybe ipfw) that can
filter 200/300 mb/s load ?

FWIW, I think you should consider doing the firewalling elsewhere, if throughput is a concern. These things almost never play well together. You should also consider using stateful rules. The memory tradeoff is worth the speed gain, as packets are first checked against the state table. If they match a state entry, rule matching overhead is avoided.

Good, fast & cheap. Pick any two.

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]