Re: loading huge number of rules in iptables (blocklist)
- From: Andrew Sackville-West <andrew@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Mar 2007 10:08:23 -0700
On Wed, Mar 21, 2007 at 12:09:03PM -0400, H.S. wrote:
Ron Johnson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/07 10:52, H.S. wrote:
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz
to block. So the above function's loop goes over these many times
inserting the rules for each range. And this is taking huge amount of
time: in over 50 minutes, only around 12% rules have been loaded on my
router running Etch (Pentium III, 449MHz, 380 MB RAM).
How can I speed this up? Advice?
thanks,
->HS
Anyone ... ?
That's a whole lotta rules. I'm not surprised that iptables doesn't
scale that well.
Yes. The experiment shows that this is not going well. I was wondering
if there are any alternatives. I currently have around 80,000 rules now
inserted, and the process is still continuing more than 17 hours later!
However, my internet connection seems to be holding up without any
noticeable performance cut so far.
nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Maybe even just some judicious grepping of the rule set for partial
matches that could be lumped together?
It seems that your operating on a default allow scenario with a bunch
of rules to delineate the deny situations. maybe you could go the
other way? default deny with a limited number of rules of what to
allow?
.02
A
Attachment:
signature.asc
Description: Digital signature
- Follow-Ups:
- References:
- Prev by Date: Re: No text mode display after grub
- Next by Date: Re: X problem after upgrade
- Previous by thread: Re: loading huge number of rules in iptables (blocklist)
- Next by thread: Re: loading huge number of rules in iptables (blocklist)
- Index(es):
Relevant Pages
|
