On Wed, Mar 21, 2007 at 12:09:03PM -0400, H.S. wrote: > Ron Johnson wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 03/21/07 10:52, H.S. wrote: > >>H.S. wrote: > >> > >>>Now, currently, there are around 151,000 ipranges listed in level1.gz > >>>to block. So the above function's loop goes over these many times > >>>inserting the rules for each range. And this is taking huge amount of > >>>time: in over 50 minutes, only around 12% rules have been loaded on my > >>>router running Etch (Pentium III, 449MHz, 380 MB RAM). > >>> > >>>How can I speed this up? Advice? > >>> > >>>thanks, > >>>->HS > >> > >> > >>Anyone ... ? > > > >That's a whole lotta rules. I'm not surprised that iptables doesn't > >scale that well. > > Yes. The experiment shows that this is not going well. I was wondering > if there are any alternatives. I currently have around 80,000 rules now > inserted, and the process is still continuing more than 17 hours later! > However, my internet connection seems to be holding up without any > noticeable performance cut so far. > nice to know that the connection is holding up, but there's got to be a better way to do this. I'm not really up on iptables, but surely there is some better way to distinguish the traffic to allow or not? Maybe even just some judicious grepping of the rule set for partial matches that could be lumped together? It seems that your operating on a default allow scenario with a bunch of rules to delineate the deny situations. maybe you could go the other way? default deny with a limited number of rules of what to allow? .02 A
Attachment:
signature.asc
Description: Digital signature