I don't know anything about VyOS but if it sits on top of another OS (Linux or BSD) they both have their own process limits and configuration parameters.
It sits on top of Linux I think. My rough guess is connection tracking is enabled in the firewall with the default settings, which I think are 16k hash buckets and remember active connections for five days. So at a hundred connections per second, you might have 50 million or so active connections spread across 16k buckets so you're doing a linear search in the firewall of about 40k entries on every packet which can cause a little bit of delay. It's worth looking at /proc/sys/net/netfilter to see what it's saying. I'll be intrigued to know the answer. Pete -- Pete Stevens [email protected] http://www.ex-parrot.com/~pete/
