Efficiency Performance "best-case" performance has improved A LOT in the past 3-4 years See henning's EuroBSDCon 2009 talk (upcoming data structure diagrams based on this) "worst-case" performance is still an issue The cost of ruleset evaluation is very high Two cases: CPU attack: packet traverses the ruleset, gets blocked CPU+RAM attack: packet traverses the ruleset, creates state In theory we can fix the first with performance improvements in ruleset evaluation (easy to say, hard to do). The second one is much harder to deal with.