Recently our upstream provider has been threatening to terminate our service because they have started to receive a metric Sh!t ton of abuse mails from because internet users on the network is downloading illegal torrents, with 5000 customers that's no surprise.
So i started to setup a method that only logs udp ports from users that is busy downloading torrents.
I used 3 rules, first one is to add all users to a address list timeout 30min
second one is to add all the dst torrent traffic to a different address list.
chain=forward action=add-src-to-address-list layer7-protocol=L7-Torrent src-address=10.0.0.0/8 address-list=Local_Torrent_User address-list-timeout=30m log=no log-prefix=""
and finally is setup a log rule that matches udp connections from src addr list with the dst-addr list and sending that away to a remote logging server.
chain=forward action=add-dst-to-address-list layer7-protocol=L7-Torrent src-address=10.0.0.0/8 address-list=Remote_Torrent_user address-list-timeout=30m log=no log-prefix=""
Now i noticed our ccr1072 that was normally running @ about 25% cpu with 2Gbps data is now doing about 45%.
chain=forward action=log protocol=udp src-address-list=Local_Torrent_User dst-address-list=Remote_Torrent_user log=no log-prefix="torrenttraffic"
When inspecting tool profile it shows that the L7 matcher is using multiple cpu cores.
When checking resources and cpu there is a core running @ 100%.
Disabling the newly created rules all cores is operating normal again.
Is there any way I can make the rules more efficient?