From owner-freebsd-net@FreeBSD.ORG  Tue Jun 20 21:10:17 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 406CB16A4AB
	for <net@freebsd.org>; Tue, 20 Jun 2006 21:10:16 +0000 (UTC)
	(envelope-from infofarmer@gmail.com)
Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D74CF43D46
	for <net@freebsd.org>; Tue, 20 Jun 2006 21:10:13 +0000 (GMT)
	(envelope-from infofarmer@gmail.com)
Received: by wx-out-0102.google.com with SMTP id t5so3826wxc
	for <net@freebsd.org>; Tue, 20 Jun 2006 14:10:12 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=DxyAHJOrSJVx9JV0O32ncTTm4SWgMjZ3xeEEo40zqoz71SB62y3f0h7c5rjxse6gJLH2XKqO1i+TF6MOIJTk8bZU5QNUytEskDsUM+gCu2QUgr4gjotVhZ8TGpT48ruxX7edWC1j8MQ7032GFRzrzlsLLbHGOIUg1gqFStc1qYE=
Received: by 10.70.19.6 with SMTP id 6mr11076599wxs;
	Tue, 20 Jun 2006 14:10:12 -0700 (PDT)
Received: by 10.70.83.15 with HTTP; Tue, 20 Jun 2006 14:10:12 -0700 (PDT)
Message-ID: <cb5206420606201410i22e5ad0bn2ab5984e0f5a85b7@mail.gmail.com>
Date: Wed, 21 Jun 2006 01:10:12 +0400
From: "Andrew Pantyukhin" <infofarmer@gmail.com>
To: "Brett Glass" <brett@lariat.org>, "Phil Regnauld" <regnauld@catpipe.net>
In-Reply-To: <7.0.1.0.2.20060620143845.06662330@lariat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <7.0.1.0.2.20060620143845.06662330@lariat.org>
Cc: net@freebsd.org
Subject: Re: Best way to block a long list of IPs?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2006 21:10:17 -0000

On 6/21/06, Brett Glass <brett@lariat.org> wrote:
> Everyone:
>
> I've got an application in which I must block incoming TCP
> connections to a FreeBSD server from a potentially large list of IP
> addresses. Using IPFW is not a very efficient way to accomplish
> this, because it must do a linear search of a list (either one
> address per rule or an "or" list in a rule) and this could slow
> down every packet entering the machine dramatically.

ipfw tables are stored in Radix trees, which are very efficient.