Another idea: by default shape everything, but allow it to burst a bit (if that's not a problem). make MARK X not shaped. MARK X some big networks which will always be Switserland. Then make a script (using the perl module I metioned previously) to check whether a new connection should be shaped or not, if it should not be shaped, and if it's not part of the marked IP's already, you add an entry to the MARK X list the /24 network where the IP address is in. (I think you can safely say that a /24 network is in one country). After one of these "temporary" marks is inactive for a while, remove it from the MARK X list, increase the "time to stay" for networks which are used often. So, your server apps should trigger a script (in the background) upon every new connection (maybe some tcpwrappers can do that, maybe you have to modify a tcpwrapper). make sure to update the database used by the scripts, Geo::IP has a "premium database subscription" update thingy. Good luck, you can mail me if you need some help, Jeroen. On Wed, 31 Mar 2004 00:56:52 +0200 Rene Gallati <lartc@xxxxxxxxxxxxx> wrote: > Hello List, > > I have a little non-standard problem (or so I guess). I'm getting a > sponsored server on a backbone for almost nothing - which is quite nice. > However there is a string attached: Since the bandwith to foreign > countries is expensive, while in-land bandwith is almost free, I need to > shape down access to all "foreign" IPs. > > Now I have a (large) list of routes/prefixes for destinations which are > ok - a whitelist if you want. The question I have now is, how do I best > proceed in using that list so that the kernel does not spend too much > time looking it up for every single packet. > > Is the routing table hashed by default so access is fast and I can just > pump in the ~100KBytes of ip prefixes ? Or does it traverse them > linearly and I need to build a hierarchical structure so that it will be > fast ? (sort of like in section 12.4 of the LARTC howto with the filters?) > > I've also toyed with the idea of doing it in netfilter since I know > netfilter quite a lot better than tc and ip but it is mostly outgoing > traffic that is a problem and I sort of feel that this is better done by > the routing/filtering infrastructure than by the firewall. > > Any advice? > > Thanks in advance > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
