I’ve approximated this in the past by periodic scanning of the output from ULOG-acctd. Unless there’s something I don’t know about the way Netfilter is set up in Zeroshell, I’d guess you should be able to use this approach to discover usage stats (leaving aside the details of where the user-space executable would sit). As for control of 6000 IP addresses independently, I’d love to hear anyone’s solutions – I don’t think that’s going to be easy to do efficiently.
I think that the problem is usually transposed, and instead a few different rate classes are set up, and IPs are switched from one class to another appropriately. Even so, handling the 6000 IPs separately might still be challenging.