From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corey Hickey Date: Sat, 12 May 2007 21:51:33 +0000 Subject: Re: [LARTC] Massive filtering Message-Id: <464636E5.5080709@fatooh.org> List-Id: References: <200705050130.AA2025718096@ipro.net> In-Reply-To: <200705050130.AA2025718096@ipro.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org ericr wrote: > I am trying to build a trafic control rule set for a huge NATed > network, and I have it working for single known addresses but I need > to scale it to 16M potential client addresses. I'm using iptables > for NAT. Incoming traffic is simple because I can match destination > address, outgoing traffic I use iptables IPMARK then tc match mark > and it works perfectly if I build rules for each client individually. > I am worried about performance as the client list increases. > > I need to place client IPs into classes like routers, freeloaders, > lite-access, premium-access, etc. I have no problem with rewriting > rules on the fly. It is easy to pop in a rule change any time a user > authenticates or is disconnected for inactivity. I don't know what exactly it is you're doing, but here's a thought. Do you control the allocation of addresses via DHCP? If so, it might be faster/easier to simply set up IP ranges for your separate classes of user. 10.1.0.0/16 routers 10.2.0.0/16 freeloaders 10.3.0.0/16 ...etc... Then you can use single matches in iptables/tc to identify packets to/from each class. -Corey _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc