Hi, personally i've never tried so huge thing but ... a guy whom i know has writen 2 papers on this. 1) optimizing iptables and tc rules: http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=380752598 2) usage of ipset, iptables, ipmark: http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=386924398
they are in bulgarian but hopefully the code will help. IF you have a problem with understanding them, write me in private so i can make a translation. On 05/05/07, ericr <[EMAIL PROTECTED]> wrote:
I am trying to build a trafic control rule set for a huge NATed network, and I have it working for single known addresses but I need to scale it to 16M potential client addresses. I'm using iptables for NAT. Incoming traffic is simple because I can match destination address, outgoing traffic I use iptables IPMARK then tc match mark and it works perfectly if I build rules for each client individually. I am worried about performance as the client list increases. I need to place client IPs into classes like routers, freeloaders, lite-access, premium-access, etc. I have no problem with rewriting rules on the fly. It is easy to pop in a rule change any time a user authenticates or is disconnected for inactivity. My first thought for scaling up was to use the hash tables, and I am feeling that the last line in lartc's document page "12.4. Hashing filters for very fast massive filtering" which says "Note that this example could be improved to the ideal case where each chain contains 1 filter!" is a little misleading since no divisor above 256 works. On first reading, I 'm thinking, yeh, I'll just put a divisor of 16777216 and my problems are solved... nope.. wrong answer. I haven't even gotten to the point where I issue 32 million filter rules to tc and see if it chokes. I hate to have to ask, I am gratefull for all the work you have done just to get me here, I'm probably missing something important, but I'm trying to scale to 16 million potential clients and the only practical documentation I can find says thinking large is 200 clients. thoughts, comments, ideas? solutions are best. Thanks in advance, Eric. ________________________________________________________________ Sent via the WebMail system at ipro.net _______________________________________________ LARTC mailing list [email protected] http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-- С уважение, Владимир Витков http://www.netsecad.com http://www.supportbg.com
_______________________________________________ LARTC mailing list [email protected] http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
