netfilter CPU usage

From: Steve Fink
Date: Mon Sep 28 2009 - 15:49:09 EST


I have a single OUTPUT rule (drop a particular UDP host:port) that
eats up a whole CPU core and a half (I have 8 cores total). It is the
only rule I have. It doesn't matter whether I do it in the raw table
or the filter table. This is when I'm just about maxing out 5 gigabit
NICs (outgoing traffic only). The rule matches nearly all of the
packets.

Is there any way to reduce the load, or at least spread it out over all CPUs?

My 8 cores are all at about 30% usage when I have no rules defined
(and the packets are going out to the switch). When I add that rule,
one of the cores shoots to 100%, another to 70% or so. The rest don't
really change.

I'm trying to figure out how to accomplish the same thing with a
blackhole route for comparison's sake, but I can't get it to work --
the packets are still going out.
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html