> > Addition info: > > iptables add/remove rate is averaging 64.5 / minute > > > > > > Lindsay > > save your rules via ipables-save and load your rules via > iptables-restore. > > refer to this previous post on the efficiency gains: > > http://marc.theaimsgroup.com/?l=netfilter&m=109897603213467&w=2 Using save and load works to get started but the the rules change at about 1 per second as the program tracks people attacking our mail system. Perhaps I could insert and delete rules in groups commiting every n seconds. Do you know if the iptables rules gained more overhead in the 2.6 kernel? Maybe splitting the rules among multiple chains would help. There seems to be an increasing insertion time depending on a chain length. -I <chain> 1 and -A <chain> seemed to have the same runtimes but does anyone know if one performs better then the other?
