Matching 10000's of IP ranges (solution)
Brian Gunlogson
bmg300 at yahoo.com
Wed Jan 5 22:01:22 CET 2005
Your solutions were way too slow. So I wrote a module that does a binary search to find ip ranges
in a sorted list. Would netfilter be interested in the source code? I don't have the desire to put
it into patch-o-matic format, but that shouldn't be hard to do. Also, It was built to read the
ranges from a file, but I don't know how to pass a dynamic ammount of memory from iptables to the
kernel module so they must be hardcoded into the module.
Brian G.
--- "John A. Sullivan III" <jsullivan at opensourcedevelopmentcorp.com> wrote:
> > What is a reasonable way to match around 80000 IP ranges with iptables?
> The iprange patch will enable you to define ranges in iptables. If you
> do not want to patch, you can use SubnetCreator
> (http://subnetcreator.sourceforge.net).
>
> You will also want to ensure that you load the rules with iptables-
> restore or iptables-restore -n rather than using a script with lots of
> iptables commands. At your size, individual iptables commands would
> take forever to load.
> --
> John A. Sullivan III
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
More information about the netfilter-devel
mailing list