Optimizing Kernel for huge iptables ruleset
AMD 1600 XP w/ 640 MB RAM @ 100MHZ FSB, one 3COM 905B eth1 connected to
LAN, one 3COM 905C connected to ADSL Modem (1024/128 line).
Two iptables rulesets:
The first 'normal' ruleset is pretty restrictive against connetions from
the outside, more or less open towards connections opened from the LAN.
The second ruleset inserted after the first is a huge IP blacklist
(1.4MB iptables script!) that takes nearly half an hour to be inserted
into the running ruleset.
Adamantix Kernel 2.4.26 w/ PaX, stack & adress space randomization and
all the other goodies except for RSBAC has about every networking
functionality compiled in that has to do with traffic shaping/routing
(need to shape the LAN for the small upstream bandwidth)
When transferring data, output on the NICs (well, I tested it with netio
on eth1) is reduced to a crawling 400KB/s, top shows the system CPU load
going up to around 94-97% while the netio process (or samba, doesn't
matter) tries to get another 50%+ CPU time.
With just the first ruleset everything is fine (although the process
transferring still wants quite a lot of CPU for my taste).
The question: Is my Kernel to bloated? Is there a way to further
optimize for networking? Can I provide more specific information (Didn't
want to paste /usr/src/linux/.config or the like just yet ;-)?
I have another firewall elsewhere that is running IPCop on a P200 Pro w/
64MB RAM and that one is taking the same blocklist without any problems,
so I am a bit surprised to see this machine suffer. Then again that one
is only firewalling/routing between two 100MBit Subnets and doesn't have
to deal with pppoe or the like. IIRC IPCop still uses a 2.2 Kernel?
Could it really be all the shaping functionality slowing things down so
best regards - at a loss