Hi Phil Phil Howard schrieb: > I would like to know how best to block 10000's of addresses using > netfilter. Clearly I do not want to be placing 10000's of individual > filter table entries in. Do you know nf-hipac? Michael Bellion and I made an announcement on the netfilter list some time ago. It's a new framework which implements a packet filter that maintains the semantics of linear lists of rules while the matching algorithm is much more efficient than just matching rules sequentially. nf-hipac is a registered sourceforge project: http://sourceforge.net/projects/nf-hipac/ You find some additional information (including a performance test) on our homepage: http://www.hipac.org/ The missing documentation will be available soon (next week) but as the userspace tool of nf-hipac uses the same syntax as iptables it should not be a problem for you to cope with it. You don't even have to recompile your kernel. Finally, nf-hipac and iptables can be used at the same time. This might be interesting for you if you need matches/targets which we do not yet support. There is just one important thing to notice: the order in which the packet filters are called. Currently, the iptables filter table is called before nf-hipac. If you need it the other way around tell me and I'll send you a mini patch. Regards, Thomas
