Hi, We are running kernel 2.6.17 and using iptables 1.3.5 and are observing a performance problem. We have a netfilter firewall consisting of about 800 Chains and a total of 10000 rules (iptables -nvL | wc -l). A single iptables manipulation takes about 4 seconds (on a PIV 2Ghz with 1Gb DDR2 ram). With the same firewall config (on slower hardware) in a 2.4.24 kernel with iptables 1.2.9 the single iptables manip takes about 500ms. I traced the iptables command in 2.6.17 and noticed that the 4 seconds are actually lost in the setsockopt call to write the BLOB back to the kernel (BLOB size 2Mb ; 11000 entries). Does anyone has any idea what might be causing this slowdown ? Has the kernel interface part changed dramatically between 2.4 and 2.6 ? Is it correct to say that no traffic will pass through in those 4 seconds that the filter is updated ? regards, Bart Duchesne -- Visit CeBIT 2007 ? March 15-21, 2007 ? Messe, Hannover, Germany ? Security Hall, Hall 7 Booth C20 and Banking and Finance Hall, Hall 17, Booth A01. For additional information, please visit the event section of VASCO's website http://www.vasco.com/events. Infosecurity.be / Storage Expo Belgium 21 & 22 March 2007 Brussels Kart http://www.infosecurity.be http://www.storage-expo.be http://www.linuxworldexpo.be --------------------------------------------------- aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 RPR Mechelen
