Date: Tue, 20 Jun 2006 14:26:47 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Brett Glass <brett@lariat.org> Cc: net@freebsd.org Subject: Re: Best way to block a long list of IPs? Message-ID: <20060620142647.A1333@xorpc.icir.org> In-Reply-To: <7.0.1.0.2.20060620151013.042be3f8@lariat.org>; from brett@lariat.org on Tue, Jun 20, 2006 at 03:22:46PM -0600 References: <7.0.1.0.2.20060620143845.06662330@lariat.org> <20060620205730.GC3968@catpipe.net> <20060620140722.A1192@xorpc.icir.org> <7.0.1.0.2.20060620151013.042be3f8@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 20, 2006 at 03:22:46PM -0600, Brett Glass wrote:
> At 03:07 PM 6/20/2006, Luigi Rizzo wrote:
>
> >there are efficient tables in ipfw as well, which Ruslan implemented
> >some time ago -- yet another reason we should be grateful to him
>
> How would I build a table of arbitrary IP addresses and be able
> to update it atomically (i.e. add and delete individual addresses
> and not lose all filtering when there was a modification)?
please have a look at the ipfw manpage, the relevant commands are
ipfw table number add addr[/masklen] [value]
ipfw table number delete addr[/masklen]
and the matching is as fast as a route lookup as it uses the same
type of data structure.
cheers
luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060620142647.A1333>