On Thursday 2008-05-15 13:29, Anton wrote:
>On Thursday 15 May 2008 16:18, Jan Engelhardt wrote:
>> On Thursday 2008-05-15 12:57, Anton wrote:
>> >Definitelly what my test shows - while rule-inserts - if
>> > you try to insert 10000 rules - after a several
>> > hundreds - it will be inserting like a 1 rule in 1
>> > second and slowness will progress :)
>>
>> Your insertion slowness is probably due to incorrect use
>> of iptables.
>
>Possible too.
>
>But aside of use of IPMARK from xtables, if I have to match
>80 (prio traffic) 22(realtime) port for every customer IP
prio and realtime sound quite the same :p
>and customer's ip too (bulk traffic) for another mark set
>and all with different htb queues - IPMARK will not help
>and in case of, say, 1000 matching IP's, it comes to 4
>queues per , with 3 to use with lending/borrowing (main,
>80, and 22) and 3000 queuses in total, plus POSTROUTING
>mangle rule per park (3000 rules) + 3000 return rules
>(6000) rules and so on. If this PC also do NAT for
>matches - it will come with extra 1000 rules (or single
>IPSET :)
>
>If there is a better approach to this in relation to
>IPTABLES - this would be just great...
Write your own module that sets the mark according to your taste, it is not
that hard. I have a semibook ("big pdf") on that entitled "Writing your own
Netfilter modules" on http://jengelh.medozas.de/. You can easily use IPMARK
as a base.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
