Re: Optimizing Kernel for huge iptables ruleset
Andrew Porter wrote:
> Thinking about this some more - and discussing it on IRC - you could
> create a binary-tree style group of chains - jumping down the chains
> based on the relevant IP subnets -
> chain1 - 220.127.116.11/8 - jumps to chainA
> chain2 - 18.104.22.168/8 - jumps to chainB
> chainA - 22.214.171.124 - DENY
> chainB 126.96.36.199 - DENY
> You could optimise your list to the point that the most number of
> comparisons needed then would be 260ish with 3 layers of chains. You
> could easily generate this programmatically.
Thank You ever so much, that is indeed a very efficient approach. Since
in the end I only want to DROP stuff passing through INPUT from the
blacklisted IPs and none in FORWARD I just traversed the INPUT chain at
the very end '$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m
state --state NEW -j BLACKLIST'
That is still quite dirty when it comes to the blacklist (which does
consist of subnets actually) but for that small a network/line it should
Thank You again for Your quick and productive reply!