Matching 10000's of IP ranges

Matching 10000's of IP ranges

[Brian Gunlogson]

Hello list,

What is a reasonable way to match around 80000 IP ranges with iptables?

Thanks,
Brian G.



		
__________________________________ 
Do you Yahoo!? 
Send a seasonal email greeting and help others. Do good. 
http://celebrity.mail.yahoo.com

Re: Matching 10000's of IP ranges

[Krystian]

if i remember right iprange module might help you :)

Brian Gunlogson wrote:

>Hello list,
>
>What is a reasonable way to match around 80000 IP ranges with iptables?
>
>Thanks,
>Brian G.
>
>
>
>		
>__________________________________ 
>Do you Yahoo!? 
>Send a seasonal email greeting and help others. Do good. 
>http://celebrity.mail.yahoo.com
>
>
>  
>

Re: Matching 10000's of IP ranges

[Jozsef Kadlecsik]

On Sun, 2 Jan 2005, Brian Gunlogson wrote:

> What is a reasonable way to match around 80000 IP ranges with iptables?

If those are truly IP ranges, then there's no easy way - maybe nf-hipac
can help you.

If the ranges are really CIDR blocks, then ipset can help you: for
same-sized CIDR blocks, you can use it immediately and can collapse the
matching against to the 80000 CIDR blocks practically into a single match.

If you have got different sized CIDR blocks, then a new maptype of
ipset could be written to support it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Matching 10000's of IP ranges

[Stephen Frost]

[-- Attachment #1: Type: text/plain, Size: 433 bytes --]

* Brian Gunlogson (bmg300@yahoo.com) wrote:
> What is a reasonable way to match around 80000 IP ranges with iptables?

If there aren't too many actual *IP*s then you might look into
ipt_recent.  It does more than you actually need but I've put 1.5M IP
addresses in an ipt_recent hash before.  Many more than that and
ipt_recent runs into problems because it can't allocate enough memory w/
the default kernel memory setup.

	Stephen

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Matching 10000's of IP ranges

[John A. Sullivan III]

On Sun, 2005-01-02 at 14:50 -0800, Brian Gunlogson wrote:
> Hello list,
> 
> What is a reasonable way to match around 80000 IP ranges with iptables?
> 
> Thanks,
> Brian G.
<snip>
I'm not entirely sure of what you mean.  Do you mean 80000 distinct IP
address ranges or 80000 addresses that fall into IP ranges which are not
on subnet boundaries?

The iprange patch will enable you to define ranges in iptables.  If you
do not want to patch, you can use SubnetCreator
(http://subnetcreator.sourceforge.net).  This will take a range and
break it into subnets.  In fact there are some Qt objects included in
the application for doing this programmatically although I really need
to update them as we have made substantial improvements to them lately.
In fact, we use it as part of the ISCS network security management
project.  If the chosen gateway has the iprange patch applied, we create
rules with ranges; if not, we use the subnetcreator routines to create
rules with subnets that together recreate the range.

You will also want to ensure that you load the rules with iptables-
restore or iptables-restore -n rather than using a script with lots of
iptables commands.  At your size, individual iptables commands would
take forever to load.
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Matching 10000's of IP ranges (solution)

[Brian Gunlogson]

Your solutions were way too slow. So I wrote a module that does a binary search to find ip ranges
in a sorted list. Would netfilter be interested in the source code? I don't have the desire to put
it into patch-o-matic format, but that shouldn't be hard to do. Also, It was built to read the
ranges from a file, but I don't know how to pass a dynamic ammount of memory from iptables to the
kernel module so they must be hardcoded into the module.

Brian G.

--- "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com> wrote:

> > What is a reasonable way to match around 80000 IP ranges with iptables?
> The iprange patch will enable you to define ranges in iptables.  If you
> do not want to patch, you can use SubnetCreator
> (http://subnetcreator.sourceforge.net).
> 
> You will also want to ensure that you load the rules with iptables-
> restore or iptables-restore -n rather than using a script with lots of
> iptables commands.  At your size, individual iptables commands would
> take forever to load.
> -- 
> John A. Sullivan III



		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail