[Gllug] iptables with 1000s of IP addresses
Tethys
sta296 at astradyne.co.uk
Sun Dec 28 22:39:07 UTC 2008
--------
Richard Jones writes:
>The list hit the 1000 mark recently (in fact, 1221 addresses right
>now) and is growing at ~ 50 new addresses / day.
>
> [...]
>
>Are there more efficient solutions?
Yes. The u32 classifier is designed for precisely this sort of
scenario, and apparently has significantly less overhead than
iptables. I'm only going on Jamal Hadi Salim's claims there.
I haven't personally measured it. However, Jamal has had over
10000 rules without problems. Details are in the LARTC HOWTO.
That said, be aware:
1. The syntax will give you headaches.
2. The LARTC documentation is a bit light on details. I'm not 100% sure
there's enough there to give you a working solution in and of itself.
Having the benefit of background from Jamal's tutorial at UKUUG really
helped me here.
It's been a while since I've used it in anger, but if you get stuck,
I'll see if I can dredge up something from my sieve-like memory!
Tet
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list