From: Kenneth Porter <shiva@sewingwitch.com>
To: bloat@lists.bufferbloat.net
Subject: Re: [Bloat] netperf server news
Date: Wed, 07 Oct 2020 18:39:02 -0700 [thread overview]
Message-ID: <955611546A6ED240A7068230@[172.27.17.193]> (raw)
In-Reply-To: <2F734444-9922-412A-90E3-254B045E9FF8@gmail.com>
--On Wednesday, October 07, 2020 3:23 PM -0400 Rich Brown
<richb.hanover@gmail.com> wrote:
> I'm also aware of ipset, which I take to be an optimized alternative to
> searching a long set of iptables rules (true?) I don't believe that my
> OpenVZ VPS has kernel support for this, so as long as the
> long-list-of-rules seems to work well, I'm going to leave it alone.
A quick google of "OpenVZ ipset" turned up a thread from 3 years ago
suggesting it's in their kernel:
<https://forum.openvz.org/index.php?t=rview&goto=53549&th=13604>
Note that ipset operates in addition to iptables. Other kernel subsystems
can also use them. iptables has a module to query an ipset.
500 rules is a lot to search linearly. I'd think a hash table would give
much superior performance. Note that every "good" packet has to check ALL
the blocking rules to be approved.
I use ipsets to block probes to my mail servers from outside the country
and from cloud services. I've managed to find a few sources of lists for
those. I also use ipset with fail2ban.
The only complicated part is how to handle reboots or other service
restarts. I use firewalld which does its own ipset management so I put the
permanent lists there. (I have scripts to convert the cloud lists to a
firewalld's XML format for its ipset storage.) fail2ban keeps its own block
database in a sqlite file and tears down and recreates its ipsets on
restart.
next prev parent reply other threads:[~2020-10-08 1:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.3.1602086401.13868.bloat@lists.bufferbloat.net>
2020-10-07 18:23 ` Rich Brown
2020-10-08 1:39 ` Kenneth Porter [this message]
2020-10-06 10:52 Rich Brown
2020-10-06 13:11 ` Sebastian Moeller
2020-10-06 19:18 ` Colin Dearborn
2020-10-06 20:40 ` Rich Brown
2020-10-07 0:42 ` Dave Collier-Brown
2020-10-07 2:39 ` Kenneth Porter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='955611546A6ED240A7068230@[172.27.17.193]' \
--to=shiva@sewingwitch.com \
--cc=bloat@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox