The problem I'm running into is that the processor gets
overloaded because of the amount of work tc is doing. I assumed it would
be able to handle the apx 5000 customers we have on it. I have a bridge
set up between two devices that run from the internet to the local
network. This bridge takes up 20% of the CPU when tc is not enabled.
When tc becomes enabled, it finishes off the rest of the CPU and eats
most of the queue as well.
5,000 rules is significant. Have a look at the hashing examples in the LARTC howto for some ideas on how to slash bandwidth required.
There is also a high performance iptables project kicking around which does much better for large rulesets. Since you don't seem to need anything advanced I would have thought this was a drop in replacement. Have a look at http://www.hipac.org/index.htm - Never used it though, just came across it on google.
I think there is another chap who posted a few hours earlier may be really interested in your perl script to read users from the DB and build rules. If you have any kind of traffic accounting I think he would be interested in that as well. Want to share any of that...?
Good luck
Ed W _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/