* mailinglists (mailinglists@xxxxxxxxx) wrote: > Generally I think this is a problem of too large rule sets. Is there a way to make containers of src/dst addresses? e.g. like this: > > container_untrusted_dns="ip.addr.A, ip.addr.B, ip.addr.C" > container_trusted_dns"ip.addr.D, ip.addr.E" > > iptables -A FORWARD -p 6 -m state -s $container_trusted_dns --sport 1024: -d $container_untrusted_dns --dport 53 -o $waneth --state NEW,ESTABLISHED -j ACCEPT It's overkill for this but you can use ipt_recent for matching on many disseperate addresses or ippool for faster matching on IP addresses in small ranges. ippool in netfilter currently uses a bitfield for it's IP address storage so you have to specify the range ahead of time and if the range is very large it takes up gobs of memory. ipt_recent is meant for doing matches on recently seen IP addresses but can also be used for static lists without penalty if you use --rcheck for the check (and not --update). ipt_recent is implemented as a hash table and so you can throw any address you want in it without concern for memory size beyond the total number of IP addresses you want to be able to store at once instead of their disparity. More information on ipt_recent is available in the netfilter extension FAQ and at the homepage http://snowman.net/projects/ipt_recent/ . ippool is documented as part of netfilter. Stephen
Attachment:
pgp00393.pgp
Description: PGP signature
