From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rene Gallati Date: Wed, 31 Mar 2004 21:32:10 +0000 Subject: Re: [LARTC] large routing table Message-Id: <406B38DA.7030200@draxinusom.ch> List-Id: References: <4069FB34.6000507@draxinusom.ch> In-Reply-To: <4069FB34.6000507@draxinusom.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hello, > 100kbytes of prefixes is not so good , hashing does not mean anything fas= ter > when checking ip > you will need to test 4 bytes in any way, since hash is usualy 32 bit too. > this can help on very complex rules only. Yeah you're right. Also, the hash cannot tell me if something "like"=20 nnn.nnn.xxx.yyy is in table X because only exact matches are possible. > so if you pump 100 kbytes of prefixes this is probably 7000 addreses so on > each packet 7000 tests will be done. 6486 to be exact. I don't really want more than 30 tests or so. > everything mostly depends on how much trafic you need to pass. Not much, about 1-2mbps, maybe 4 to 5 peak. But the server does a lot of=20 other things and I am not to use up all the ressources. Its a fast=20 machine with lots of RAM but I still don't pay for it and so I don't=20 want to create a lot of load. > probably hierarchical structure is the best option. > you can use multiple servers to mark packets and one to shape trafic ( you > sould use TOS not mark) I only have one at my disposition for this. However I think with the=20 help of the netfilter connection tracker I'll be able to minimize the=20 problem to the connection setup phase. Now I just need to write a skript=20 that generates the rules. If there is interest, I'll copy it to the list=20 once its working. Thanks for your hints Ren=E9 >=20 >=20 >=20 >=20 > ----- Original Message -----=20 > From: "Rene Gallati" > To: > Sent: Wednesday, March 31, 2004 1:56 AM > Subject: [LARTC] large routing table >=20 >=20 >=20 >>Hello List, >> >>I have a little non-standard problem (or so I guess). I'm getting a >>sponsored server on a backbone for almost nothing - which is quite nice. >>However there is a string attached: Since the bandwith to foreign >>countries is expensive, while in-land bandwith is almost free, I need to >>shape down access to all '"'foreign'"' IPs. >> >>Now I have a (large) list of routes/prefixes for destinations which are >>ok - a whitelist if you want. The question I have now is, how do I best >>proceed in using that list so that the kernel does not spend too much >>time looking it up for every single packet. >> >>Is the routing table hashed by default so access is fast and I can just >>pump in the ~100KBytes of ip prefixes ? Or does it traverse them >>linearly and I need to build a hierarchical structure so that it will be >>fast ? (sort of like in section 12.4 of the LARTC howto with the filters?) >> >>I've also toyed with the idea of doing it in netfilter since I know >>netfilter quite a lot better than tc and ip but it is mostly outgoing >>traffic that is a problem and I sort of feel that this is better done by >>the routing/filtering infrastructure than by the firewall. >> >>Any advice? >> >>Thanks in advance >> >>Ren=E9 >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >=20 >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/