> -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Esteban Ribicic > Sent: Wednesday, June 11, 2003 2:36 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx; LARTC > Cc: winfield@xxxxxxxxxxxx > Subject: kazaaa is making me crazy! > > > im trying to debug how cpu consuming could be the string > match. is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download > request..that would be okay if oyu want filter completely, > but if you want to slwo down (i mean using tc/htb/fwmarks) > you wouldnt be matching the hole download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? > Wouldn't it be better if you put -m state --state established on top of the rules. And also to the INPUT or FORWARD chain. That way not every packet needs to be checked for -m --string "Kazaa" iptables -t mangle -D PREROUTING -p tcp -m --string "Kazaa" -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -m string --string "Kazaa" -j DROP Regards Klintan
