From: Phil Howard <phil-netfilter@ipal.net>
To: netfilter@lists.netfilter.org
Subject: Re: how to block 10000's of addresses?
Date: Sun, 13 Oct 2002 08:45:58 -0500 [thread overview]
Message-ID: <20021013084558.C15824@hamal.ipal.net> (raw)
In-Reply-To: <3DA9716C.8070806@bewegungsmelder.de>; from thomas.lussnig@bewegungsmelder.de on Sun, Oct 13, 2002 at 03:13:16PM +0200
On Sun, Oct 13, 2002 at 03:13:16PM +0200, Thomas Lussnig wrote:
| >
| >
| >| Why don't you want 10000 rules on your netfilter box ? Have you tried it
| >| and found it causes any problems ?
| >
| >My understanding is they are tested sequentially. Maybe this isn't true,
| >but I see no documentation to the contrary regarding netfilter being any
| >different than past table oriented access list style filtering which uses
| >sequential testing to implement the ordered logic usually involved.
| >
| >One other goal I had not mentioned is being able to add/delete netblocks
| >as needed without replacing the whole ruleset. But I don't think it would
| >be a big issue.
| >
| With the posibility of user defined tables you can create an BTREE that
| is much faster the linear search.
| But i think that for this propose an mathing like "pool" should be the
| right. there was some ime ago an
| discousion here. If pool should support sparse set of ip's to (rand
| spread). Maybe you can implement it
| and the use the pool module.
Can you provide some references? URLs? I'm not really following what
you are saying (maybe language problem) but maybe I would understand it
better with technical background. I know about BTREE. I do not know
about "pool" in this context.
I certainly want to avoid linear search of 10000 rules.
--
-----------------------------------------------------------------
| Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ |
| phil-nospam@ipal.net | Texas, USA | http://ka9wgn.ham.org/ |
-----------------------------------------------------------------
next prev parent reply other threads:[~2002-10-13 13:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-13 11:50 how to block 10000's of addresses? Phil Howard
2002-10-13 12:10 ` Antony Stone
2002-10-13 13:00 ` Phil Howard
2002-10-13 13:13 ` Thomas Lussnig
2002-10-13 13:45 ` Phil Howard [this message]
2002-10-13 13:47 ` Robert P. J. Day
2002-10-13 14:56 ` Phil Howard
2002-10-13 16:25 ` Robert P. J. Day
2002-10-13 22:05 ` Phil Howard
2002-10-13 13:53 ` Antony Stone
2002-10-13 15:10 ` Phil Howard
2002-10-13 15:41 ` Antony Stone
2002-10-13 16:40 ` Thomas Lussnig
2002-10-13 17:25 ` Thomas Heinz
2002-10-13 17:42 ` Thomas Heinz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021013084558.C15824@hamal.ipal.net \
--to=phil-netfilter@ipal.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.