On Thu, 2006-01-26 at 11:00 +0100, Jakub Wartak wrote: > Dnia czwartek, 26 stycznia 2006 09:46, Sebastian Heidl napisał: > > I have some moderately busy (in terms of traffic) firewalls that are > > spending quite a lot CPU time in %system (> 70%) when there are a lot of > > updates to the netfilter rules. > > My question is: How can I lower the system time to enable the machines > > to handle more traffic ? Specifically, would nf-hipac or other netfilter > > projects help here ? > >... > You could try ipsets, in my production systems they are rock solid stable. Ok, I think the iphash type of set would be the right one here. Are there any docs about the lookup/insert/update times under load ? > I'm > pushing over 1200 clients on P4 3GHz ( about 25-30 mbps , 50% cpu load, but > this machine also is running netflow probe... network cards: pure e100 I'm running netflow too, NICs are e1000, currently we have a little over 3000 clients at peak times. Thanks for the reply. _sh_
