Marian Jancar schrieb: > > On Thu, 22 Aug 2002 09:38:58 +0200 > "Karl Gaissmaier" <karl.gaissmaier@rz.uni-ulm.de> wrote: > > > I'm running a class B University network with approx 10k hosts > > attached. I would now like to stop traffic from and to hosts > > in my network not already registered in my DNS server. > > > > This means I've to handle with approx 50k rules|routes. Sure > > I can summarize the unalloctaed address space a little bit > > with masks to approx 30k rules, anyway this seems to be a problem. > > Create tree with decreasing netmask, you will have more rules in total > but packets will have to travel through only few of them. Yep, I thought already about this. If I set decreasing netmasks from /17 to /32 I would end up with 2^16 chains but after 16 comparisons I would have a match. This would be the extreme! If I create 256 different chains based on a /24 netmask then I would have a match at least after 256 + 256 = 512 comparisons. The first max 256 comparisons select the next chain and the last max 256 comparisons select the /32 address in this special chain. Anyway I find this ugly with iptables that we have no MADDR match (in analogy to MPORT). If you build a firewall you try always to build groups of services (mport) and groups of servers/clients (maddr). With iptables you have to reply the same rule n times for n similar servers/clients. This is ugly and a performance bottleneck because these similar rules are cheched sequentially. Best regards and thanks for your tip. Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:karl.gaissmaier@rz.uni-ulm.de Network Administration _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
