Andreas Klauer wrote:
On Tuesday 09 August 2005 18:53, panca sorin wrote:
I have about 1650 preffered destination networks listed in some file. The
script read this file and marks every package for those networks with
the mark value of 1.
If you have a lot of IPs in this list, a hashed approach might work faster.
See LARTC Howto, 12.4 Hashing filters. Although it describes tc filters,
approach should be similar for iptables. Furthermore, using CONNMARK might
speed things up. With it, you can skip testing packets of connections that
already matched (and, if used right, you can also skip packets of
connections that don't match as well). There are also patches that allow
bitwise modification of mark values.
You can get this stuff from www.netfilter.org, the patches are in pom-ng.
Look for ipset if the list is random.
http://people.netfilter.org/kadlec/ipset/
--and-mark and --or-mark are part of main iptables now
Andy.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
