On Sun, Jun 22, 2008, howard chen wrote:
> Hi,
>
> On Sun, Jun 22, 2008 at 1:23 AM, Jose Ildefonso Camargo Tolosa
> > for 1: maybe iptables + l7filter ( http://l7-filter.sourceforge.net/ ).
> > for 2: iptables, yup, plain iptables.
> > for 3. not sure... but maybe iptables + l7filter too.
> >
>
> All the problem with iptables is it is NOT suitable to handle a lot of
> rules, it has been discussed in netfilter mailing list before...
Of course it is. you just have to know what you're doing.
Go look at the ip set stuff. You can define a rule which will match on the
presence of the match in a list or tree; I've got one site running > 10,000
entries in a single ip set used by half a dozen iptables rules and the
CPU required for processing up to 100mbit is utterly trivial.
(It used to be > 10,000 iptables rules.. this didn't work too well.)
> Currently I have a proxy written using C which store IP info in memory
> which is lighting fast and efficient. I just wonder should I merge
> this proxy into squid or not. (They are running at the same machine
> now)
Patches always accepted. Just go and check out the external_acl helper.
Squid does pretty efficient src/dst IP matching too btw.
Adrian
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -Received on Sun Jun 22 2008 - 06:05:51 MDT
This archive was generated by hypermail 2.2.0 : Sun Jun 22 2008 - 12:00:04 MDT