On Tue, 2004-10-19 at 13:45, Andrew Porter wrote: > On Tue, 2004-10-19 at 13:04, Martin G.H. Minkler wrote: > > > Two iptables rulesets: > > The first 'normal' ruleset is pretty restrictive against connetions from > > the outside, more or less open towards connections opened from the LAN. > > The second ruleset inserted after the first is a huge IP blacklist > > (1.4MB iptables script!) that takes nearly half an hour to be inserted > > into the running ruleset.
Thinking about this some more - and discussing it on IRC - you could create a binary-tree style group of chains - jumping down the chains based on the relevant IP subnets - chain1 - 123.0.0.0/8 - jumps to chainA chain2 - 125.0.0.0/8 - jumps to chainB chainA - 123.3.4.5 - DENY chainB 125.12.11.10 - DENY You could optimise your list to the point that the most number of comparisons needed then would be 260ish with 3 layers of chains. You could easily generate this programmatically.
