* xtables/geoip vs ipset
@ 2010-12-09 23:14 Mr Dash Four
2010-12-10 0:03 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Mr Dash Four @ 2010-12-09 23:14 UTC (permalink / raw)
To: 'netfilter@vger.kernel.org'
Currently I am employing a large number of ipsets (about 30k+ subnets in
total) which hold IP subnets fetched from whatever the latest version of
the geoip database I have sourced and compiled.
I am aware that xtables also have the geoip target, though was wandering
what the performance is like compared to having the same IP subnets
loaded with ipset. Has anyone tested/compared these two matching methods?
I know the performance of iptables when it deals with large number of ip
addresses is absolutely abysmal, so never tried to use the geoip target,
so just wanted to see if that has changed?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: xtables/geoip vs ipset
2010-12-09 23:14 xtables/geoip vs ipset Mr Dash Four
@ 2010-12-10 0:03 ` Jan Engelhardt
2010-12-10 13:13 ` Mr Dash Four
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2010-12-10 0:03 UTC (permalink / raw)
To: Mr Dash Four; +Cc: 'netfilter@vger.kernel.org'
On Friday 2010-12-10 00:14, Mr Dash Four wrote:
>Currently I am employing a large number of ipsets (about 30k+ subnets
>in total) which hold IP subnets fetched from whatever the latest
>version of the geoip database I have sourced and compiled.
>
>I am aware that xtables also have the geoip target, though was
>wandering what the performance is like compared to having the same IP
>subnets loaded with ipset. Has anyone tested/compared these two
>matching methods?
>
>I know the performance of iptables when it deals with large number of
>ip addresses is absolutely abysmal, so never tried to use the geoip
>target, so just wanted to see if that has changed?
The geoip target uses a bisection search, so the US database's
19000-something entries are testable in roughly 15 steps.
Since it does not need any extra structures, it only takes as much
kernel memory as the .iv0 file on disk.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: xtables/geoip vs ipset
2010-12-10 0:03 ` Jan Engelhardt
@ 2010-12-10 13:13 ` Mr Dash Four
0 siblings, 0 replies; 3+ messages in thread
From: Mr Dash Four @ 2010-12-10 13:13 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: 'netfilter@vger.kernel.org'
> The geoip target uses a bisection search, so the US database's
> 19000-something entries are testable in roughly 15 steps.
> Since it does not need any extra structures, it only takes as much
> kernel memory as the .iv0 file on disk.
>
I was much more interested in the performance of xtables/geoip vs ipset
rather than how much memory it uses.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-12-10 13:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-09 23:14 xtables/geoip vs ipset Mr Dash Four
2010-12-10 0:03 ` Jan Engelhardt
2010-12-10 13:13 ` Mr Dash Four
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.