> > Apply the same (or a similar) mechanism to your iptables ruleset and > > you should get improved speeds. > > I like this idea. I never thought about using a hash filter in iptables. > I could have two sections. I could match the subnet and then jump to > look up the node address. I think this would lessen the load > considerably as long as it is the lookup that is taking the most cpu > cycles and not the actual MARK routine having to execute on every packet. Well, I don't know your ruleset and setup but maybe you could use the connection tracking system to improve this. Put the mark value into the conntack table using CONNMARK extension. For every packet you receive you have to restore this value but there's no need to fall through the rules anymore if it is already marked. Lookups in the CONNTRACK table use hashing so shall be much faster. A huge ruleset decreases iptables performance pretty bad. Regards -- "Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen! Jetzt aktivieren unter http://www.gmx.net/info _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
