From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-po-01v.sys.comcast.net (resqmta-po-04v.sys.comcast.net [96.114.154.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 8CC013B2A4 for ; Wed, 7 Oct 2020 21:40:24 -0400 (EDT) Received: from resomta-po-05v.sys.comcast.net ([96.114.154.229]) by resqmta-po-04v.sys.comcast.net with ESMTP id QKlDk4o5CjUkXQKtwkytx2; Thu, 08 Oct 2020 01:39:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1602121164; bh=re7LHczk4Qq0n98vYmh6tw9844pIQxN4+QWaI3NZPvE=; h=Received:Received:Received:Date:From:To:Subject:Message-ID: MIME-Version:Content-Type; b=NrbiMezrQO4JPBv7rglOJGk4Q7BjqFac0/gGdkdJRVkw3Tkw9fxOMhns1r6YeU9+r 4ZYvkm5K4a1m9UZYNJvpdzOCkRbSiIruHAf5ojyA4zH4HGQfLSaJH8kmD5WKCa56vL B9FOGNf/ffuGCVwap8ycGptxSVjIr1HHP4+/deaYVU/qeogLpm/JWcS6bhFyHssRdZ 6Y9+e8GwWBv6ufRP3c7/TA3URTMt3qw+tAU0Rz0jsJ0BUjeYMb1dS2aSbbCGvkQmFC vlJmgsYg72NNLVQAMRZ/aCOj3/fsrCg/NTeKDaqnclwszJ0QiyAbMo1xthfFyRy4UT zMfe+SUAezcNA== Received: from home.sewingwitch.com ([IPv6:2601:644:881:42b0::3f1]) by resomta-po-05v.sys.comcast.net with ESMTPA id QKtlkE5pmx7eeQKtvkFNpY; Thu, 08 Oct 2020 01:39:24 +0000 X-Xfinity-VMeta: sc=0.00;st=legit Received: from [10.96.7.39] ([10.96.7.39]) (authenticated bits=0) by home.sewingwitch.com (8.14.7/8.14.7) with ESMTP id 0981d3Cc019692 for ; Wed, 7 Oct 2020 18:39:04 -0700 DKIM-Filter: OpenDKIM Filter v2.11.0 home.sewingwitch.com 0981d3Cc019692 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sewingwitch.com; s=default; t=1602121144; bh=re7LHczk4Qq0n98vYmh6tw9844pIQxN4+QWaI3NZPvE=; h=Date:From:To:Subject:In-Reply-To:References:From; b=GYSsBUjgqLJxXIwOoJPRIRAAsArpj+Pxwpm9avwcTzE79gvVc22yR6E1YjYAMV45F aRdC6eFt0Rtf+CRR1feZ1nIG225a1phCRT0rkTL4nps16RmqWbJiGK5TXjR3dM9W++ L/bijoHybUj/CWygIxwxvrskoJ0kFPF/6AqUGJY0= Date: Wed, 07 Oct 2020 18:39:02 -0700 From: Kenneth Porter To: bloat@lists.bufferbloat.net Message-ID: <955611546A6ED240A7068230@[172.27.17.193]> In-Reply-To: <2F734444-9922-412A-90E3-254B045E9FF8@gmail.com> References: <2F734444-9922-412A-90E3-254B045E9FF8@gmail.com> X-Mailer: Mulberry/4.1.0a3 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=1453 X-Scanned-By: MIMEDefang 2.84 on 10.96.0.132 Subject: Re: [Bloat] netperf server news X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2020 01:40:24 -0000 --On Wednesday, October 07, 2020 3:23 PM -0400 Rich Brown wrote: > I'm also aware of ipset, which I take to be an optimized alternative to > searching a long set of iptables rules (true?) I don't believe that my > OpenVZ VPS has kernel support for this, so as long as the > long-list-of-rules seems to work well, I'm going to leave it alone. A quick google of "OpenVZ ipset" turned up a thread from 3 years ago suggesting it's in their kernel: Note that ipset operates in addition to iptables. Other kernel subsystems can also use them. iptables has a module to query an ipset. 500 rules is a lot to search linearly. I'd think a hash table would give much superior performance. Note that every "good" packet has to check ALL the blocking rules to be approved. I use ipsets to block probes to my mail servers from outside the country and from cloud services. I've managed to find a few sources of lists for those. I also use ipset with fail2ban. The only complicated part is how to handle reboots or other service restarts. I use firewalld which does its own ipset management so I put the permanent lists there. (I have scripts to convert the cloud lists to a firewalld's XML format for its ipset storage.) fail2ban keeps its own block database in a sqlite file and tears down and recreates its ipsets on restart.