Le vendredi 26 mars 2010 à 11:41 +0100, Jorrit Kronjee a écrit : > And iptables-save -c produced this: > # Generated by iptables-save v1.4.4 on Fri Mar 26 11:24:59 2010 > *filter > :INPUT ACCEPT [1043:60514] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [942:282723] > [99563191:3783420610] -A FORWARD -m hashlimit --hashlimit-upto 10000/sec > --hashlimit-burst 100 --hashlimit-mode dstip --hashlimit-name hashtable > --hashlimit-htable-max 131072 --hashlimit-htable-expire 1000 -j ACCEPT > [0:0] -A FORWARD -m limit --limit 5/sec -j LOG --log-prefix "HASHLIMITED > -- " Hmm, --hashlimit-htable-expire 1000 & gcinterval 1000 (default) are very aggressive. That might explain high number of spinlocks/unlocks (many entries are inserted/deleted per second) I would let entries forever in table (no more expensive locks/unlocks) --hashlimit-htable-expire 100000 --hashlimit-htable-gcinterval 3600000 (garbage collect every hour) --hashlimit-htable-size 65536 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
