Tony Sarendal  wrote:

quoted text
> To design a reliable IP network I would need the devices to be able to

> handle

> the desired pps rate even when that state limit is exceeded.

>

> Many routing devices have over the years achieved good performance by

> different flow caching

> methods, we have over the years also learnt that this is a bad thing in

> uncontrolled environments

> like the Internet.

>

> A reliable IP router is wirespeed and stateless. There is no getting around

> that.

It is also that much boring :)  The ability to preserve existing and valid

connections in case of overloaded traffic (think DoS) is more useful for me.

As Henning suggested, you can always make the ruleset fail (stateless) open

and get the best of both worlds.
> In my case I would verify that the box is wirespeed in the environment I put

quoted text
> it in, the fact that

> it can be faster under certain conditions is less interesting.

For such a strict view and/or requirement, your options are somewhat

limited.
I would suggest:
1. Test with the same ruleset that you would use in production. In the

stateless case, the number of rules directly influences the amount of

work done for each packet, there is no state/caching.
2. To reduce the ruleset evaluation overhead for large number of

addresses (usually more than four or five) use tables instead of single

rules. The ruleset optimizer in pfctl usually does this for you, but

look at the generated rules instead of the ones you wrote when comparing

different rulesets.
Can