On Friday 2009-09-18 01:01, Mikulas Patocka wrote: >> On Thursday 2009-09-17 21:15, Mikulas Patocka wrote: >> > >> >Here I submit an iptables module that can match large amounts (millions) >> >of ip addresses efficiently using binary search. >> >> So you just reinvented xt_geoip... > >I am wondering, if there are two approaches for matching large amounts of >addresses (xt_geoip and ipset), why is none of them in the kernel? Because, so I would estimate, Patrick would decline patches with the reasoning of redundant code. Especially so "IPMARK". >I was saying how OpenBSD is better than Linux because OpenBSD has >tree-based firewall tables --- hmm --- well --- Linux has them too, except >that noone can really find them because they are not in the kernel. You can build trees of chains with iptables. (Which would be quite a fast thing if you do not have modules at hand.) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html