Paul Caritj wrote:
Agreed,
Heres my situatuation: I need to create rules on the fly for (potentially) up to 4000 users. What I need is a way to delete *all* the rules for a given ip address without knowing the full contents of the rule (only the ip); as you might have guessed, I'm doing this programatically.
My current solution is to have one chain for each associated IP. Is there a better solution to this problem?
Yikes, isn't processing that many rules for that many clients going to have some performance impact? Have you tried a strategy of processing the general rules (RELATED,ESTABLISHED -j ACCEPT, etc.) in your main filter chain and then dividing the client rules up by subnet? In theory that would substantially cut down the number of rules you would need to test for any given IP address.
Jeff