Your solutions were way too slow. So I wrote a module that does a binary search to find ip ranges in a sorted list. Would netfilter be interested in the source code? I don't have the desire to put it into patch-o-matic format, but that shouldn't be hard to do. Also, It was built to read the ranges from a file, but I don't know how to pass a dynamic ammount of memory from iptables to the kernel module so they must be hardcoded into the module. Brian G. --- "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > What is a reasonable way to match around 80000 IP ranges with iptables? > The iprange patch will enable you to define ranges in iptables. If you > do not want to patch, you can use SubnetCreator > (http://subnetcreator.sourceforge.net). > > You will also want to ensure that you load the rules with iptables- > restore or iptables-restore -n rather than using a script with lots of > iptables commands. At your size, individual iptables commands would > take forever to load. > -- > John A. Sullivan III __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
