Aloh�!
The situation:
AMD 1600 XP w/ 640 MB RAM @ 100MHZ FSB, one 3COM 905B eth1 connected to LAN, one 3COM 905C connected to ADSL Modem (1024/128 line).
Two iptables rulesets:
The first 'normal' ruleset is pretty restrictive against connetions from the outside, more or less open towards connections opened from the LAN.
The second ruleset inserted after the first is a huge IP blacklist (1.4MB iptables script!) that takes nearly half an hour to be inserted into the running ruleset.
Adamantix Kernel 2.4.26 w/ PaX, stack & adress space randomization and all the other goodies except for RSBAC has about every networking functionality compiled in that has to do with traffic shaping/routing (need to shape the LAN for the small upstream bandwidth)
The problem:
When transferring data, output on the NICs (well, I tested it with netio on eth1) is reduced to a crawling 400KB/s, top shows the system CPU load going up to around 94-97% while the netio process (or samba, doesn't matter) tries to get another 50%+ CPU time.
With just the first ruleset everything is fine (although the process transferring still wants quite a lot of CPU for my taste).
The question: Is my Kernel to bloated? Is there a way to further optimize for networking? Can I provide more specific information (Didn't want to paste /usr/src/linux/.config or the like just yet ;-)?
I have another firewall elsewhere that is running IPCop on a P200 Pro w/ 64MB RAM and that one is taking the same blocklist without any problems, so I am a bit surprised to see this machine suffer. Then again that one is only firewalling/routing between two 100MBit Subnets and doesn't have to deal with pppoe or the like. IIRC IPCop still uses a 2.2 Kernel? Could it really be all the shaping functionality slowing things down so much?
best regards - at a loss
Martin
