Alohá! Rainer Nagel wrote:
Another speedup can be achieved by using iptables-restore and creating its input file with the script.
Ever so true, that actually is the best solution when it comes to input speed - does of course not solve the dirtyness of that ruleset ;-) Anyway, to point every beginner and even the advanced to a really good source: I myself started pulling old printouts from the shelf to read up on the issue and once again I was amazed by the depth and quality of http://iptables-tutorial.frozentux.net by Oskar Andreasson
That's also where I found the passage stating that when stuff is being inserted, appended or altered the whole ruleset is being pulled out of kernelspace, updated and reinserted. (Chapter 5 'Saving and restoring large rulesets, 5.1 'Speed considerations').
best regards Martin