Hey there :) This is not a development-related question, please send it to /dev/null if you aren't interested. Thanks for your patience :)
That being said, I work for a (relatively) small colocation provider. We've got about two dozen customers. During extremely high packet load on our Linux router/firewall (*sigh* DoSes), the CPU usage jumps up to ~40% or so(Celeron 333MHz). This is sytem time. I was just curious as to the general cost of jumping a chain versus going through a rule. Right now, each and every incoming packet goes through: FORWARD(2 rules, at most) -> ips(40 rules, at most) -> i_customer(generally a single rule) And each outgoing packet goes through: FORWARD(again, two rules at most) -> macs(20 rules, at most) -> oipacct_<customername>(generally around six rules) -> o_<customername>(generally a single rule) Now, my boss has been trying to tell me that it would be "better" to have all the rules in the FORWARD chain. I haven't gone so far as to say he's on drugs, but I think he's on drugs :) I was wondering if anybody was interested in confirming my thoughts on the matter? I, unfortunately, do not have the skills to set up appropriate test cases to verify these things myself. Thanks, have a nice day :) (P.S.: Sent a message to [EMAIL PROTECTED] about a week ago, didn't receive much in the way of useful replies. I apologise again if this email offends anybody.) -- ,______________________________________________________________________. | David B. Harris, Systems administrator | http://www.terrabox.com | | [EMAIL PROTECTED], [EMAIL PROTECTED] | http://eelf.ddts.net | |======================================================================| | Clan Barclay motto: Aut agere, aut mori. (Either action, or death.) | `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
msg00129/pgp00000.pgp
Description: PGP signature
