On Wed, May 25, 2005 at 07:20:53PM +0000, Martin Schiøtz wrote: > Hi > > I'm planning to set up a bridge running iptables on an uplink of a lot > of internet user. The uplink is on maximum at about 30 mbit/s. There > are about 1800 * /29 ip nets - some /29 nets needs to be stopped be > the bridge and some can pass. I'm wondering about the performance of > iptables when having 1800*2 rules worst case (PREROUTING rules on src > and dst nets). sounds like a job for ipset [1]. if you have 1800 nets that fall into 2 categories, you'd have 2 rules, 1 for set 1 and 1 for set 2. depending how the nets break down on CIDR boundaries, you could auto-summarize the nets that have the same rules to be applied to them. -j [1] - http://people.netfilter.org/kadlec/ipset/ -- "Quagmire: Don't look at me like that. Fat chicks need love too... but they got to pay." --Family Guy
