> I find that a little surprising, considering that I use a 486-66 for my home
> firewall. I've never really noticed any network slowdown because of it, and
> it's considerably slower than any S/390 system that can run Linux/390. Do
> you have some references for this that I could read to increase my
> understanding? I've been suggesting putting firewalls on Linux/390, and I
> don't want to continue doing that if it's the wrong thing to do.
My guess is your 486 is handling a small local lan rather than serious
traffic and that your traffic load is mostly big frames.
A firewall is normally stress tested (for performance) on at least two things
under various ruleset conditions
Packets per second 64 128 256 512 1024 1500 sized
Packet latency
If you stick a pair of GigE cards in a PC the result even with PCI64/66 is
not generally pretty. The PC lacks the memory and irq handling bandwidth to
filter high packets/second rates. At 100Mbit you'll see some cards do well
but at small packet sizes it gets kind of iffy because the interrupt load is
going through the roof (on some good cards you'll see that level off and the
latency rise instead - thats 'interrupt mitigation'). At 10Mbit you are
laughing.
The S/390 box has both the real hardware and the VM glue between it and the
network packets. How well does an S/390 handle 50,000 packets/second. I guess
the definitive answer should come from the IBM folks. Elsewhere the general
rule has been that additional overhead from I/O processors for network
routing tends to be bad unless they do all the routing/filtering work.
Ultimately it depends what you are filtering and how many rules you have. On
Linux 2.4 the rule scaling behaviour is pretty decent, especially if you are
careful how you build the tables.
Alan
