ericr wrote: > I am trying to build a trafic control rule set for a huge NATed > network, and I have it working for single known addresses but I need > to scale it to 16M potential client addresses. I'm using iptables > for NAT. Incoming traffic is simple because I can match destination > address, outgoing traffic I use iptables IPMARK then tc match mark > and it works perfectly if I build rules for each client individually. > I am worried about performance as the client list increases. > > I need to place client IPs into classes like routers, freeloaders, > lite-access, premium-access, etc. I have no problem with rewriting > rules on the fly. It is easy to pop in a rule change any time a user > authenticates or is disconnected for inactivity. I don't know what exactly it is you're doing, but here's a thought. Do you control the allocation of addresses via DHCP? If so, it might be faster/easier to simply set up IP ranges for your separate classes of user. 10.1.0.0/16 routers 10.2.0.0/16 freeloaders 10.3.0.0/16 ...etc... Then you can use single matches in iptables/tc to identify packets to/from each class. -Corey _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
