Re: [LARTC] large routing table

From: Rene Gallati <lartc@draxinusom.ch>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] large routing table
Date: Wed, 31 Mar 2004 21:32:10 +0000	[thread overview]
Message-ID: <406B38DA.7030200@draxinusom.ch> (raw)
In-Reply-To: <4069FB34.6000507@draxinusom.ch>

Hello,

> 100kbytes of prefixes is not so good , hashing does not mean anything faster
> when checking  ip
> you will need to test 4 bytes in any way, since hash is usualy 32 bit too.
> this can help on very complex rules only.

Yeah you're right. Also, the hash cannot tell me if something "like" 
nnn.nnn.xxx.yyy is in table X because only exact matches are possible.

> so if you pump 100 kbytes of prefixes this is probably 7000 addreses so on
> each packet 7000 tests will be done.

6486 to be exact. I don't really want more than 30 tests or so.

> everything mostly depends on how much trafic you need to pass.

Not much, about 1-2mbps, maybe 4 to 5 peak. But the server does a lot of 
other things and I am not to use up all the ressources. Its a fast 
machine with lots of RAM but I still don't pay for it and so I don't 
want to create a lot of load.

> probably hierarchical structure is the best option.
> you can use multiple servers to mark packets and one to shape trafic ( you
> sould use TOS not mark)

I only have one at my disposition for this. However I think with the 
help of the netfilter connection tracker I'll be able to minimize the 
problem to the connection setup phase. Now I just need to write a skript 
that generates the rules. If there is interest, I'll copy it to the list 
once its working.

Thanks for your hints

René

> 
> 
> 
> 
> ----- Original Message ----- 
> From: "Rene Gallati" <lartc@draxinusom.ch>
> To: <lartc@mailman.ds9a.nl>
> Sent: Wednesday, March 31, 2004 1:56 AM
> Subject: [LARTC] large routing table
> 
> 
> 
>>Hello List,
>>
>>I have a little non-standard problem (or so I guess). I'm getting a
>>sponsored server on a backbone for almost nothing - which is quite nice.
>>However there is a string attached: Since the bandwith to foreign
>>countries is expensive, while in-land bandwith is almost free, I need to
>>shape down access to all '"'foreign'"' IPs.
>>
>>Now I have a (large) list of routes/prefixes for destinations which are
>>ok - a whitelist if you want. The question I have now is, how do I best
>>proceed in using that list so that the kernel does not spend too much
>>time looking it up for every single packet.
>>
>>Is the routing table hashed by default so access is fast and I can just
>>pump in the ~100KBytes of ip prefixes ? Or does it traverse them
>>linearly and I need to build a hierarchical structure so that it will be
>>fast ? (sort of like in section 12.4 of the LARTC howto with the filters?)
>>
>>I've also toyed with the idea of doing it in netfilter since I know
>>netfilter quite a lot better than tc and ip but it is mostly outgoing
>>traffic that is a problem and I sort of feel that this is better done by
>>the routing/filtering infrastructure than by the firewall.
>>
>>Any advice?
>>
>>Thanks in advance
>>
>>René
>>_______________________________________________
>>LARTC mailing list / LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/