Well, if you have 3000+ rules like that, it will certainly slow you down. You should use some kind of hashing. How that is done for tc filters, is described here: http://www.lartc.org/lartc.html#LARTC.ADV-FILTER.HASHING
Apply the same (or a similar) mechanism to your iptables ruleset and you should get improved speeds.
If he wanted to keep the system of using iptables to classify and tc to filter, then couldn't he look at using seperate filter chains to decrease the search space?
Also, what about using return rules to speedup the search times in a given filter chain?
I think his point was actually that it was not a CPU issue without adding that one particular rule. But perhaps you will have more success asking on the iptables list?
Good luck
Ed W _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
