In general the string match is not reliable as the string you're scanning for could be fragmented amongst several packets... Ramin On Tue, Jun 10, 2003 at 09:35:39PM -0300, Esteban Ribicic wrote: > im trying to debug how cpu consuming could be the string match. > is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download request..that > would be okay if oyu want filter completely, but if you want to slwo > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? >
