long ruleset perfomance issue

anton at web-sat.com anton at web-sat.com
Mon Apr 4 13:44:19 CEST 2005

I need to mark packets going through a linux router with iptables for some 4500 ip addresses(to use with tc bandwidth shaping filters).
This list needs to be updated every 10 minutes.
So i made a shell script file looking like:

/usr/local/sbin/iptables -F 
/usr/local/sbin/iptables -A FORWARD -t mangle -d -j MARK --set-mark 1
/usr/local/sbin/iptables -A FORWARD -t mangle -d -j MARK --set-mark 2
/usr/local/sbin/iptables -A FORWARD -t mangle -d -j MARK --set-mark 1
and so on for 4500 times.

When i run this script on Xeon 2.4ghz cpu it takes 2-3 minutes real time with 100% cpu load to process.
During this time server becomes unusable. 
Is there any way to make it run faster, like optimizing ruleset or trying a different approach?
I have tried to search on this issue but was not successful.

Any input is greatly appreciatred.

Thank you,

More information about the netfilter mailing list