matching a list of IP's
Samuel Krempp
Samuel.Krempp@crans.ens-cachan.fr
Sat, 15 Jul 2000 12:21:26 +0200
I think netFilter would be greater with rules that match packets which
src/dst IP (or MAC) *belongs* in a given list of adresses.
Of course one can simply create a sequence of N rules (for a list of
N adresses), but matching the adress in a bitmap would
improve the speed drastically in such a case.
By Bitmap, I mean an array of 2^N bits, representing all the adresses
of a given network (even for a class B net, N=16 and the memory needed
is'nt awfully big), with value 1 for adresses in the list and 0 for others.
here is my motivation for this :
in our LAN, made of 4 C-classes (so N=10), some IP adresses are assigned,
and some are not. (40% assigned, 60% not)
To insure nobody can plug into the Lan and get access to internet, I want
our firewall to block all un-assigned IP.
I considered playing with arp sutff, to prevent communication with
unknown IP/MAC at the Ethernet level. but it's too much
a hack for my taste ( arp allows to permanently fix an IP/MAC entry,
so setting all 4*256 entries would do the trick, even if non-optimal..)
I'd prefer to block those at firewall level, but I think putting 500
rules for sequencial testing is a stupid overhead...
Does anybody want to implement this ? I dont really want to get into
libipq, even if this IP_bitmap thing should be quite simple to implement.
--
Samuel