Hi perhaps someone else already had the same problem. Problem description: I'm running a class B University network with approx 10k hosts attached. I would now like to stop traffic from and to hosts in my network not already registered in my DNS server. This means I've to handle with approx 50k rules|routes. Sure I can summarize the unalloctaed address space a little bit with masks to approx 30k rules, anyway this seems to be a problem. Question: What will be the best solution between the different choices netfilter/iptables, ip route(s) ... type prohibit and tc filter ... u32 ... police 0kbps netfilter/iptables doesn't seem to scale well and the only match module "pool" which is able to deal with pools of addresses seemes to stay in alpha state. With ip route I think I have to describe all unregistered hosts to stop traffic and not the smaller amount of registered hosts. Does the FIB and route cache scale well to approx 30k routes? Is it possible and more performant to use tc to throttle down traffic to unregistered hosts already in the ingress lane without hitting the routing and netfilter engine with this traffic? Does tc scale well with this huge amount addresses/masks? How could this be handled with tc? Regards and thanks in advance for any hint Charly P.S. Speed is important, this linux router/firewall connects Gigabit Ethernet networks -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration Tel.: ++49 731 50-22499 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
