> > >| Why don't you want 10000 rules on your netfilter box ? Have you tried it >| and found it causes any problems ? > >My understanding is they are tested sequentially. Maybe this isn't true, >but I see no documentation to the contrary regarding netfilter being any >different than past table oriented access list style filtering which uses >sequential testing to implement the ordered logic usually involved. > >One other goal I had not mentioned is being able to add/delete netblocks >as needed without replacing the whole ruleset. But I don't think it would >be a big issue. > With the posibility of user defined tables you can create an BTREE that is much faster the linear search. But i think that for this propose an mathing like "pool" should be the right. there was some ime ago an discousion here. If pool should support sparse set of ip's to (rand spread). Maybe you can implement it and the use the pool module. Cu Thomas
