Re: Optimizing Kernel for huge iptables ruleset
On Tue, 2004-10-19 at 13:45, Andrew Porter wrote:
> On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote:
> > Two iptables rulesets:
> > The first 'normal' ruleset is pretty restrictive against connetions from
> > the outside, more or less open towards connections opened from the LAN.
> > The second ruleset inserted after the first is a huge IP blacklist
> > (1.4MB iptables script!) that takes nearly half an hour to be inserted
> > into the running ruleset.
Thinking about this some more - and discussing it on IRC - you could
create a binary-tree style group of chains - jumping down the chains
based on the relevant IP subnets -
chain1 - 220.127.116.11/8 - jumps to chainA
chain2 - 18.104.22.168/8 - jumps to chainB
chainA - 22.214.171.124 - DENY
chainB 126.96.36.199 - DENY
You could optimise your list to the point that the most number of
comparisons needed then would be 260ish with 3 layers of chains. You
could easily generate this programmatically.