[Firehol-support] very long blacklist
Bernhard J. M. Gruen
bjmg at h0t.de
Fri Apr 16 11:37:59 BST 2004
Costa Tsaousis wrote:
>Bernhard,
>
>bellow is a reply to a similar problem.
>
>Costa
>
>
>---
>
>
>
>[some lines of description erased by bjmg]
>
>#!/bin/sh
># USAGE: block.sh IP
>/sbin/iptables -I INPUT -s $1 -j BL_IN_UNI
>/sbin/iptables -I FORWARD -s $1 -j BL_IN_UNI
>
>#!/bin/sh
># USAGE: unblock.sh IP
>/sbin/iptables -D INPUT -s $1 -j BL_IN_UNI
>/sbin/iptables -D FORWARD -s $1 -j BL_IN_UNI
>
>
>
Hi Costa,
This works fine and a little faster. But now I have found a even faster
method of loading those blacklist entries. I created a file that piped
to iptables-restore. With this method I can save the time to run
/sbin/iptables every time again. Now I have a blacklist and I did some
benchmarking with it. I came to the conclusion that 19% of processor
time is too much. After some further tests I probably have a solution to
speed this up too. The blacklist entries are at the beginning of INPUT,
OUTPUT and FORWARD so every packet has to go through this test (about
6000 rules in each chain). But there are also some (in reality most of
the packets) that belong to a established connection. So there is no
need to test for these connections. I am not sure if this feature can be
integrated into FireHOL but I would be really nice because it saves A
LOT of time (19% --> 4%).
By the way FireHOL could also use the iptables-restore method to start
faster. For this FireHOL has to write every line of iptables code into a
temporary file instead of starting iptables itself. At the end of the
FireHOL code this temporary file should be piped to iptables-restore. :-)
Bernhard
More information about the Firehol-support
mailing list