[LARTC] big problem with HTB/CBQ and CPU for more than 1.700
customers
VladSun
vladsun at relef.net
Mon May 28 15:39:11 CEST 2007
Alexandru Dragoi написа:
> u32 hash filters is the key, as somebody pointed. You can also tune your
> iptables setup, like this
>
> #192.168.1.0/24
> iptables -t mangle -N 192-168-1-0-24
> iptables -t mangle -A FORWARD -s 192.168.1.0/24 -j 192-168-1-0-24
> iptables -t mangle -N 192-168-1-0-25
> iptables -t mangle -N 192-168-1-128-25
> iptables -t mangle -A 192-168-1-0-24 -s 192.168.1.0/25 -j 192-168-1-0-25
> iptables -t mangle -A 192-168-1-0-24 -s 192.168.128.0/25 -j 192-168-1-128-25
> .
> .
> and so on, until (ip 192.168.1.11, which is called in chain created for
> 192.168.1.10/31)
>
> iptables -t mangle -A 192-168-1-10-31 -s 192.168.1.10 -j CLASSIFY
> --set-class 1:10
> iptables -t mangle -A 192-168-1-10-31 -s 192.168.1.11 -j CLASSIFY
> --set-class 1:11
>
> .. I guess you got the ideea, it requires some RAM, which i belive is
> not such a big problem. Similar rules should be made for download.
>
>
Or you can use my patch - IPCLASSIFY. Then the rules above would be
substituted by a signle rule per direction:
iptables -t mangle -A FORWARD -s 192.168.1.0/24 -j IPCLASSIFY --addr=src
--and-mask=0xff --or-mask=0x11000
iptables -t mangle -A FORWARD -d 192.168.1.0/24 -j IPCLASSIFY --addr=dst
--and-mask=0xff --or-mask=0x12000
This is equal to applying CLASSIFY target to each packet with
--set-class (srcIP & 0xFF | 0x1100 ) and --set-class (dstIP & 0xFF |
0x1200 ).
It is very similar to IPMARK, but it uses skb->priority field instead
mark. So no tc filters are needed.
More information about the LARTC
mailing list