im trying to debug how cpu consuming could be the string match. is it a lineal function? i mean.. 1 Mbit -> 1024/8 Kbytes supossaing mtu payload is 1500 bytes, i have in 1 megabit [(1024/8)*1000]*1500 = 1920000000 packets anorther thing..this rule just filter the initial download request..that would be okay if oyu want filter completely, but if you want to slwo down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole download, only the request... iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP any comment, any idea?
