Nigel Roberts wrote:
On Fri, 19 Jan 2007 at 12:31:27 +1300, Jasper Bryant-Greene wrote:
Anybody encountered anything similar? Is it likely to simply be related to the number of rules?
I reduced the CPU usage on our iptables based firewalls by a large proportion by making sure there were rules allowing ESTABLISHED and RELATED connections through relatively early in the rule set for each table.
You can also use additional chains to reduce the number of rules. You could for instance split your INPUT chain into 4 chains based on the source IP (0.0.0.0/2, 64.0.0.0/2, 128.0.0.0/2, 192.0.0.0/2) and reduce the number of rules each packet transverses by 1/4th[1]. Or use any other obvious metric to exclude having to check rules (eg in-interface). And yeah, as you mentioned put the usual cases first. (iptables -nvL will list how many times each rule is being hint, ideally you'd want these numbers to decrease down a chain). ---- [1]: Assuming that your rules are split evenly across the IP address space, which is fairly unlikely to be true.