netfilter CPU usage

From: Steve Fink
Date: Mon Sep 28 2009 - 15:49:09 EST

I have a single OUTPUT rule (drop a particular UDP host:port) that
eats up a whole CPU core and a half (I have 8 cores total). It is the
only rule I have. It doesn't matter whether I do it in the raw table
or the filter table. This is when I'm just about maxing out 5 gigabit
NICs (outgoing traffic only). The rule matches nearly all of the

Is there any way to reduce the load, or at least spread it out over all CPUs?

My 8 cores are all at about 30% usage when I have no rules defined
(and the packets are going out to the switch). When I add that rule,
one of the cores shoots to 100%, another to 70% or so. The rest don't
really change.

I'm trying to figure out how to accomplish the same thing with a
blackhole route for comparison's sake, but I can't get it to work --
the packets are still going out.
