Hello List, I have some moderately busy (in terms of traffic) firewalls that are spending quite a lot CPU time in %system (> 70%) when there are a lot of updates to the netfilter rules. My question is: How can I lower the system time to enable the machines to handle more traffic ? Specifically, would nf-hipac or other netfilter projects help here ? These are 2.8GHz Xeon Machines with 512 MB RAM and GbE interfaces. During the "high-system-time period" they are forwarding about 30 Mbit/s traffic. The netfilter chains structure is as follows (only FORWARD is relevant): Chain FORWARD (policy DROP) *** publicly available services *** *** jump to chain with authenticated users *** *** services for authenticated users *** The last rule in the auth-chain is a REJECT so only authenticated users can access the private services. When a user logs in successfully a rule is added to the auth-chain, when he logs out the rule is deleted. At the mentioned high-system-time periods there are about 10 updates (add/delete) to the auth-chain per second. I'm thankful for any advice. _sh_
