Re: [LARTC] Massive filtering

[Corey Hickey <bugfood-ml@fatooh.org>]

ericr wrote:
> I am trying to build a trafic control rule set for a huge NATed
> network, and I have it working for single known addresses but I need
> to scale it to 16M potential client addresses.  I'm using iptables
> for NAT.  Incoming traffic is simple because I can match destination
> address, outgoing traffic I use iptables IPMARK then tc match mark
> and it works perfectly if I build rules for each client individually.
> I am worried about performance as the client list increases.
> 
> I need to place client IPs into classes like routers, freeloaders,
> lite-access, premium-access, etc. I have no problem with rewriting
> rules on the fly.  It is easy to pop in a rule change any time a user
> authenticates or is disconnected for inactivity.

I don't know what exactly it is you're doing, but here's a thought.

Do you control the allocation of addresses via DHCP? If so, it might be
faster/easier to simply set up IP ranges for your separate classes of user.

10.1.0.0/16        routers
10.2.0.0/16        freeloaders
10.3.0.0/16        ...etc...

Then you can use single matches in iptables/tc to identify packets
to/from each class.

-Corey
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc