[Bloat] netperf server news

Kenneth Porter shiva at sewingwitch.com
Wed Oct 7 21:39:02 EDT 2020


--On Wednesday, October 07, 2020 3:23 PM -0400 Rich Brown 
<richb.hanover at gmail.com> wrote:

> I'm also aware of ipset, which I take to be an optimized alternative to
> searching a long set of iptables rules (true?) I don't believe that my
> OpenVZ VPS has kernel support for this, so as long as the
> long-list-of-rules seems to work well, I'm going to leave it alone.

A quick google of "OpenVZ ipset" turned up a thread from 3 years ago 
suggesting it's in their kernel:

<https://forum.openvz.org/index.php?t=rview&goto=53549&th=13604>

Note that ipset operates in addition to iptables. Other kernel subsystems 
can also use them. iptables has a module to query an ipset.

500 rules is a lot to search linearly. I'd think a hash table would give 
much superior performance. Note that every "good" packet has to check ALL 
the blocking rules to be approved.

I use ipsets to block probes to my mail servers from outside the country 
and from cloud services. I've managed to find a few sources of lists for 
those. I also use ipset with fail2ban.

The only complicated part is how to handle reboots or other service 
restarts. I use firewalld which does its own ipset management so I put the 
permanent lists there. (I have scripts to convert the cloud lists to a 
firewalld's XML format for its ipset storage.) fail2ban keeps its own block 
database in a sqlite file and tears down and recreates its ipsets on 
restart.



More information about the Bloat mailing list