Re: Using iptables and ipset to DROP a list of 2 million addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 11 Apr 2024, Le Chevalier wrote:

> On 2024-04-11 14:39, Mason Kaufer wrote:
> > I am currently trying to set up a firewall on an Ubuntu 22.04 machine 
> > that will block a list of 2 million plus ip addresses without slowing 
> > the network speed down tremendously. I have tried using ipset but I 
> > get an error that the hash size isn't large enough. I have tried 
> > manually setting the hash size but it only allows that option to be so 
> > large. Is there something I am doing wrong or is there a better way to 
> > achieve this? Any help with this would be much appreciated.

There's no upper limit in the hash size (except that the number must fit 
into u32). On my laptop:

# ipset n test hash:ip hashsize 10000000 maxelem 10000000
# ipset l
Name: test
Type: hash:ip
Revision: 5
Header: family inet hashsize 16777216 maxelem 10000000 bucketsize 12 initval 0xc61d4797
Size in memory: 393392
References: 0
Number of entries: 0
Members:

Please note, you must tune both hashsize and maxelem parameters in order 
to be able to store the given number of entries.

Best regards,
Jozsef
-- 
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux