Re: [LARTC] Q: best solution to stop traffic to huge amount of

[Karl Gaissmaier <karl.gaissmaier@rz.uni-ulm.de>]

Marian Jancar schrieb:
> 
> On Thu, 22 Aug 2002 09:38:58 +0200
> "Karl Gaissmaier" <karl.gaissmaier@rz.uni-ulm.de> wrote:
> 
> > I'm running a class B University network with approx 10k hosts
> > attached. I would now like to stop traffic from and to hosts
> > in my network not already registered in my DNS server.
> >
> > This means I've to handle with approx 50k rules|routes. Sure
> > I can summarize the unalloctaed address space a little bit
> > with masks to approx 30k rules, anyway this seems to be a problem.
> 
> Create tree with decreasing netmask, you will have more rules in total
> but packets will have to travel through only few of them.

Yep, I thought already about this. If I set decreasing netmasks from /17
to /32 	I would end up with 2^16 chains but after 16 comparisons
I would have a match. This would be the extreme!

If I create 256 different chains based on a /24 netmask
then I would have a match at least after 256 + 256 = 512
comparisons. The first max 256 comparisons select the
next chain and the last max 256 comparisons select the
/32 address in this special chain.

Anyway I find this ugly with iptables that we have no
MADDR match (in analogy to MPORT). If you build a firewall
you try always to build groups of services (mport) and
groups of servers/clients (maddr). With iptables you have
to reply the same rule n times for n similar servers/clients.

This is ugly and a performance bottleneck because these
similar rules are cheched sequentially.

Best regards and thanks for your tip.

	Charly

-- 
Karl Gaissmaier          Computing Center,University of Ulm,Germany
Email:karl.gaissmaier@rz.uni-ulm.de          Network Administration
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/