From owner-freebsd-net@FreeBSD.ORG  Tue Jun 20 21:23:24 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AE8B116A474
	for <net@freebsd.org>; Tue, 20 Jun 2006 21:23:24 +0000 (UTC)
	(envelope-from brett@lariat.org)
Received: from lariat.net (lariat.net [65.122.236.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E83A243D66
	for <net@freebsd.org>; Tue, 20 Jun 2006 21:23:23 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2])
	by lariat.net (8.9.3/8.9.3) with ESMTP id PAA14978;
	Tue, 20 Jun 2006 15:23:11 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <7.0.1.0.2.20060620151013.042be3f8@lariat.org>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Tue, 20 Jun 2006 15:22:46 -0600
To: Luigi Rizzo <rizzo@icir.org>, net@freebsd.org,
	Phil Regnauld <regnauld@catpipe.net>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20060620140722.A1192@xorpc.icir.org>
References: <7.0.1.0.2.20060620143845.06662330@lariat.org>
	<20060620205730.GC3968@catpipe.net>
	<20060620140722.A1192@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: 
Subject: Re: Best way to block a long list of IPs?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2006 21:23:24 -0000

At 03:07 PM 6/20/2006, Luigi Rizzo wrote:
 
>there are efficient tables in ipfw as well, which Ruslan implemented
>some time ago -- yet another reason we should be grateful to him

How would I build a table of arbitrary IP addresses and be able
to update it atomically (i.e. add and delete individual addresses
and not lose all filtering when there was a modification)?

>and also, if your address are in the same /24 subnet, you can use
>the ipfw address set format which looks like this
>        1.2.3.0/24{10,20,21,30,34,55}
>and can deal in constant time for up to 256 randomly distributed hosts.

Not random enough. Each of these IP addresses could be anywhere in 
the 32 bit IPv4 address range.

--Brett Glass