Hi > > it's statically in the kernel, i haven't gottten around to recompiling > > the kernel yet to compile it out. > > > > i am using the NOTRACK module to bypass all traffic around conntrack though. > > What a shame :-( > Unless I'm mistaken, that means that a connection is created for each > incoming packet, then immediately destroyed using the NOTRACK target. > Then it's the same again for outgoing packets. So while lookups are > fast in an empty table, this still costs a lot of CPU. Also, there was > a discussion in the past about netfilter's counters causing cache > thrashing in SMP because they are updated for every packet. I don't > remember the details and I may even be wrong though.
Nope, raw table is done before any other table so when u specify NOTRACK it will completely bypass conntracking. But then, unless u really need conntrack for something else, disabling it entirely would be a bit better (with empty iptables there is no need for kernel to go thru any rule so a bit less cpu load) -- Mariusz Gronczewski (XANi) <xani...@gmail.com> GnuPG: 0xEA8ACE64 http://devrandom.pl
signature.asc
Description: To jest część wiadomości podpisana cyfrowo