Re: Optimizing Kernel for huge iptables ruleset

To: debian-firewall@lists.debian.org
Subject: Re: Optimizing Kernel for huge iptables ruleset
From: Andrew Porter <andy@defsdoor.demon.co.uk>
Date: Tue, 19 Oct 2004 13:58:07 +0100
Message-id: <[🔎] 1098190687.4198.11.camel@defslap>
In-reply-to: <[🔎] 1098189938.4198.3.camel@defslap>
References: <[🔎] 417502B0.9090004@gmx.net> <[🔎] 1098189938.4198.3.camel@defslap>

On Tue, 2004-10-19 at 13:45, Andrew Porter wrote:
> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> 
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions from 
> > the outside, more or less open towards connections opened from the LAN.
> > The second ruleset inserted after the first is a huge IP blacklist 
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted 
> > into the running ruleset.

Thinking about this some more - and discussing it on IRC - you could
create a binary-tree style group of chains - jumping down the chains
based on the relevant IP subnets - 

chain1 - 123.0.0.0/8 - jumps to chainA
chain2 - 125.0.0.0/8 - jumps to chainB

chainA - 123.3.4.5 - DENY
chainB 125.12.11.10 - DENY

You could optimise your list to the point that the most number of
comparisons needed then would be 260ish with 3 layers of chains.  You
could easily generate this programmatically.

Reply to:

Follow-Ups:
- Re: Optimizing Kernel for huge iptables ruleset
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>

References:
- Optimizing Kernel for huge iptables ruleset
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>
- Re: Optimizing Kernel for huge iptables ruleset
  - From: Andrew Porter <andy@defsdoor.demon.co.uk>

Prev by Date: Re: Optimizing Kernel for huge iptables ruleset
Next by Date: Re: Optimizing Kernel for huge iptables ruleset
Previous by thread: Re: Optimizing Kernel for huge iptables ruleset
Next by thread: Re: Optimizing Kernel for huge iptables ruleset
Index(es):
- Date
- Thread