PF sessions/s rate evaluation
I'm currently a master degree student, and I'd like to benchmark packet filter over the number of tcp sessions per seconds it can handle.
So I've got a very basic setup working, consisting of one server running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's running Linux, acting respectively as client and webserver (running apache2 for the last).
Basically, the client spams standard HTTP requests to the server via the firewall using a basic HTTP injector tool and evaluates the number of sucessful processed requests per seconds.
As one can expect, there is an inverse relationship between the number of sessions/s a firewall can sustain and the size of the object of the request. To achieve maximum throughput, you've got to request big size objects (i.e 50KB or more), whereas to achieve maximum sessions rate per second, you've got to make requests with 0 size objects.
Prior to this, I've run some tests with a Linux firewall running iptables, and I've come up with an average rate of 11300 sessions/s for 0 size objects (straight up results, no tweaks or improvements made).
Moving on to the OpenBSD tests, I only achieved an average rate of 7000 sessions/s for 0 size object (starting up at 8000, slowly decreasing to 7000 - 6500 ...), which is way above the linux/iptables average rate . I then tried to make some tweaks in /etc/sysctl.conf, but no improvement so far. The ruleset I use is the following (copied from the OpenBSD pf tutorial) :
set block-policy drop
pass out quick
pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
pass in inet proto icmp all
pass in on $LAN.
So I come here now to know whether you guys have any idea what sort of tweaks I could try to significantly enhance the number of tcp sessions per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless for the moment . Any hints, thoughts or ideas is appreciated !
You will want to ask this question on the PF mailing list. It is likely you will get your best answers there. This is a very small community of users, here.
I would wonder if rdr-to forces traffic normalization, but that is just conjecture.
Last edited by jggimi; 16th August 2011 at 10:14 AM.
|Thread||Thread Starter||Forum||Replies||Last Post|
|openBSD4.4 + Chrooted apache1.3 + php5 + sessions||wolf3d||OpenBSD Packages and Ports||1||2nd July 2009 11:07 AM|
|DragonFly BSD evaluation||Graaf_van_Vlaanderen||Other BSD and UNIX/UNIX-like||6||7th April 2009 06:26 AM|
|transfer rate||zomo||OpenBSD General||7||26th January 2009 03:00 AM|
|OpenBSD 4.4 and refresh rate 75||mfaridi||OpenBSD Installation and Upgrading||8||12th November 2008 12:05 PM|
|URL evaluation tools to determine if serving malware||dk_netsvil||Off-Topic||0||30th June 2008 04:55 PM|