On Sun, Jun 22, 2008, howard chen wrote: > Hi, > > On Sun, Jun 22, 2008 at 1:23 AM, Jose Ildefonso Camargo Tolosa > > for 1: maybe iptables + l7filter ( http://l7-filter.sourceforge.net/ ). > > for 2: iptables, yup, plain iptables. > > for 3. not sure... but maybe iptables + l7filter too. > > > > All the problem with iptables is it is NOT suitable to handle a lot of > rules, it has been discussed in netfilter mailing list before... Of course it is. you just have to know what you're doing. Go look at the ip set stuff. You can define a rule which will match on the presence of the match in a list or tree; I've got one site running > 10,000 entries in a single ip set used by half a dozen iptables rules and the CPU required for processing up to 100mbit is utterly trivial. (It used to be > 10,000 iptables rules.. this didn't work too well.) > Currently I have a proxy written using C which store IP info in memory > which is lighting fast and efficient. I just wonder should I merge > this proxy into squid or not. (They are running at the same machine > now) Patches always accepted. Just go and check out the external_acl helper. Squid does pretty efficient src/dst IP matching too btw. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
