xtables/geoip vs ipset

Linux Netfilter discussions
 help / color / mirror / Atom feed

* xtables/geoip vs ipset
@ 2010-12-09 23:14 Mr Dash Four
  2010-12-10  0:03 ` Jan Engelhardt
  0 siblings, 1 reply; 3+ messages in thread
From: Mr Dash Four @ 2010-12-09 23:14 UTC (permalink / raw)
  To: 'netfilter@vger.kernel.org'

Currently I am employing a large number of ipsets (about 30k+ subnets in 
total) which hold IP subnets fetched from whatever the latest version of 
the geoip database I have sourced and compiled.

I am aware that xtables also have the geoip target, though was wandering 
what the performance is like compared to having the same IP subnets 
loaded with ipset. Has anyone tested/compared these two matching methods?

I know the performance of iptables when it deals with large number of ip 
addresses is absolutely abysmal, so never tried to use the geoip target, 
so just wanted to see if that has changed?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: xtables/geoip vs ipset
  2010-12-09 23:14 xtables/geoip vs ipset Mr Dash Four
@ 2010-12-10  0:03 ` Jan Engelhardt
  2010-12-10 13:13   ` Mr Dash Four
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2010-12-10  0:03 UTC (permalink / raw)
  To: Mr Dash Four; +Cc: 'netfilter@vger.kernel.org'

On Friday 2010-12-10 00:14, Mr Dash Four wrote:

>Currently I am employing a large number of ipsets (about 30k+ subnets 
>in total) which hold IP subnets fetched from whatever the latest 
>version of the geoip database I have sourced and compiled.
>
>I am aware that xtables also have the geoip target, though was 
>wandering what the performance is like compared to having the same IP 
>subnets loaded with ipset. Has anyone tested/compared these two 
>matching methods?
>
>I know the performance of iptables when it deals with large number of 
>ip addresses is absolutely abysmal, so never tried to use the geoip 
>target, so just wanted to see if that has changed?

The geoip target uses a bisection search, so the US database's 
19000-something entries are testable in roughly 15 steps.
Since it does not need any extra structures, it only takes as much 
kernel memory as the .iv0 file on disk.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: xtables/geoip vs ipset
  2010-12-10  0:03 ` Jan Engelhardt
@ 2010-12-10 13:13   ` Mr Dash Four
  0 siblings, 0 replies; 3+ messages in thread
From: Mr Dash Four @ 2010-12-10 13:13 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: 'netfilter@vger.kernel.org'


> The geoip target uses a bisection search, so the US database's 
> 19000-something entries are testable in roughly 15 steps.
> Since it does not need any extra structures, it only takes as much 
> kernel memory as the .iv0 file on disk.
>   
I was much more interested in the performance of xtables/geoip vs ipset 
rather than how much memory it uses.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-12-10 13:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-09 23:14 xtables/geoip vs ipset Mr Dash Four
2010-12-10  0:03 ` Jan Engelhardt
2010-12-10 13:13   ` Mr Dash Four

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox