Aloh�!
Andrew Porter wrote: > Thinking about this some more - and discussing it on IRC - you could > create a binary-tree style group of chains - jumping down the chains > based on the relevant IP subnets - > > chain1 - 123.0.0.0/8 - jumps to chainA > chain2 - 125.0.0.0/8 - jumps to chainB > > chainA - 123.3.4.5 - DENY > chainB 125.12.11.10 - DENY > > You could optimise your list to the point that the most number of > comparisons needed then would be 260ish with 3 layers of chains. You > could easily generate this programmatically.
Thank You ever so much, that is indeed a very efficient approach. Since in the end I only want to DROP stuff passing through INPUT from the blacklisted IPs and none in FORWARD I just traversed the INPUT chain at the very end '$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST'
That is still quite dirty when it comes to the blacklist (which does consist of subnets actually) but for that small a network/line it should be sufficient.
Thank You again for Your quick and productive reply!
regards
Martin
