Yes - This looks like the right thing. Thanks :-) On 5/25/05, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > On Wed, May 25, 2005 at 07:20:53PM +0000, Martin Schiøtz wrote: > > Hi > > > > I'm planning to set up a bridge running iptables on an uplink of a lot > > of internet user. The uplink is on maximum at about 30 mbit/s. There > > are about 1800 * /29 ip nets - some /29 nets needs to be stopped be > > the bridge and some can pass. I'm wondering about the performance of > > iptables when having 1800*2 rules worst case (PREROUTING rules on src > > and dst nets). > > sounds like a job for ipset [1]. if you have 1800 nets that fall into 2 > categories, you'd have 2 rules, 1 for set 1 and 1 for set 2. depending > how the nets break down on CIDR boundaries, you could auto-summarize the > nets that have the same rules to be applied to them. > > -j > > [1] - http://people.netfilter.org/kadlec/ipset/ > > -- > "Quagmire: Don't look at me like that. Fat chicks need love too... but > they got to pay." > --Family Guy > >
