On Sun, Oct 08, 2006 at 04:03:26PM +0200, Federico Giannici wrote: > I'm trying to re-phrase this question too: is the PF code executed > during the NIC interrupts?
There's a simple way to find that out empirically. Increase the work pf has to do, and observe what time percentage is increasing due to that. For instance, load a ruleset that consists of random non-matching rules that have to be evaluated for each packet, give the machine a flow of packets it has to evaluate the ruleset for, and check the CPU usage. Increase the number of rules until there is an observable difference. An example can be found in http://undeadly.org/cgi?action=article&sid=20060927091645 grep for 'jot' in there. Daniel