> Stef, > > We have about 3200 iptables rules on our bridge. I've tested today to > remove 1000 of these rules. The load dropped from about 40% to 25%. So I > think the iptables rule take up the most of the CPU load. Do you think this > is a problem of ineffeciency of iptables or just a 'limitation' in the > TCP/IP stack of linux ? I don't think it's a limitation. I think you reached the point where you need a bigger machine :) Maybe you can try to iptables mailing list to find more info about the performance you can expect : http://lists.netfilter.org/mailman/listinfo/netfilter Stef -- stef.coene@xxxxxxxxx "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net
