Tony Sarendal <[EMAIL PROTECTED]> wrote: > To design a reliable IP network I would need the devices to be able to > handle > the desired pps rate even when that state limit is exceeded. > > Many routing devices have over the years achieved good performance by > different flow caching > methods, we have over the years also learnt that this is a bad thing in > uncontrolled environments > like the Internet. > > A reliable IP router is wirespeed and stateless. There is no getting around > that.
It is also that much boring :) The ability to preserve existing and valid connections in case of overloaded traffic (think DoS) is more useful for me. As Henning suggested, you can always make the ruleset fail (stateless) open and get the best of both worlds. > In my case I would verify that the box is wirespeed in the environment I put > it in, the fact that > it can be faster under certain conditions is less interesting. For such a strict view and/or requirement, your options are somewhat limited. I would suggest: 1. Test with the same ruleset that you would use in production. In the stateless case, the number of rules directly influences the amount of work done for each packet, there is no state/caching. 2. To reduce the ruleset evaluation overhead for large number of addresses (usually more than four or five) use tables instead of single rules. The ruleset optimizer in pfctl usually does this for you, but look at the generated rules instead of the ones you wrote when comparing different rulesets. Can
