VladSun wrote: > Alexandru Dragoi написа: >> u32 hash filters is the key, as somebody pointed. You can also tune your >> iptables setup, like this >> >> #192.168.1.0/24 >> iptables -t mangle -N 192-168-1-0-24 >> iptables -t mangle -A FORWARD -s 192.168.1.0/24 -j 192-168-1-0-24 >> iptables -t mangle -N 192-168-1-0-25 >> iptables -t mangle -N 192-168-1-128-25 >> iptables -t mangle -A 192-168-1-0-24 -s 192.168.1.0/25 -j 192-168-1-0-25 >> iptables -t mangle -A 192-168-1-0-24 -s 192.168.128.0/25 -j >> 192-168-1-128-25 >> . >> . >> and so on, until (ip 192.168.1.11, which is called in chain created for >> 192.168.1.10/31) >> >> iptables -t mangle -A 192-168-1-10-31 -s 192.168.1.10 -j CLASSIFY >> --set-class 1:10 >> iptables -t mangle -A 192-168-1-10-31 -s 192.168.1.11 -j CLASSIFY >> --set-class 1:11 >> >> .. I guess you got the ideea, it requires some RAM, which i belive is >> not such a big problem. Similar rules should be made for download. >> >> > Or you can use my patch - IPCLASSIFY. Then the rules above would be > substituted by a signle rule per direction: > > > iptables -t mangle -A FORWARD -s 192.168.1.0/24 -j IPCLASSIFY > --addr=src --and-mask=0xff --or-mask=0x11000 > iptables -t mangle -A FORWARD -d 192.168.1.0/24 -j IPCLASSIFY > --addr=dst --and-mask=0xff --or-mask=0x12000 > > This is equal to applying CLASSIFY target to each packet with > --set-class (srcIP & 0xFF | 0x1100 ) and --set-class (dstIP & 0xFF | > 0x1200 ). > It is very similar to IPMARK, but it uses skb->priority field instead > mark. So no tc filters are needed. > Cool, I remember I red about this a little while ago. Now, another thing to tune would be some htb paches for massive hashing on classid lookup. I must say I haven't use it so far, I hope I will do it soon. http://www.mail-archive.com/lartc@xxxxxxxxxxxxxxx/msg16279.html _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
