----- Original Message ----- From: "Rob Sterenborg" <rob@xxxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, April 23, 2004 8:07 PM Subject: Re: Synfloods - SNAT slow down > > I have two thousand hosts and two thousand forward rules :( > > With so many hosts/rules you should be able to match subnets instead of > each host separately, reducing the number of rules greatly which in turn > improves Netfilter performance. Or do you have a special reason to do > this ? > > > Gr, > Rob > I had seen a patch in patch-o-matic which is supposed to fix a performance issue in SNAT during floods. In fact the current kernel runs with the above said patch. You are right. In fact, I am rewriting the script which will generate netfilter rules. I wanted to find out whether I can fine tune the new netfilter rule set to offset the overloading of the gateway due to syn/icmp floods. Do you think, if I have a hierarchical filter rule set, there would be an improvement? KRV
