Date: Mon, 25 Jul 2016 14:41:00 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Cc: Michael Sierchio <kudzu@tenebras.com>, Jan Bramkamp <crest@rlwinm.de> Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> In-Reply-To: <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 25.07.2016 um 12:47 schrieb Michael Sierchio <kudzu@tenebras.com>: >=20 > Writing a divert daemon is a praiseworthy project, but I think you = could do > this without sending packets to user land. >=20 > You could use tables - =E2=80=A6 > Am 25.07.2016 um 14:01 schrieb Jan Bramkamp <crest@rlwinm.de>: >=20 > I would use a set of IPFW tables with skipto/call tablearg rules = instead =E2=80=A6 Michael and Jan, many thanks for your suggestions. As everybody knows, 'Many roads lead to Rome.', and I am already there. = I don't feel alike going all the way back only for the sake of trying = out other routes. Once a week, the IP ranges are compiled from original sources into a = binary sorted table, containing as of today 83162 consolidated range/cc = pairs. On starting-up, the divert daemon reads the binary file in one = block and stores the ranges into a totally balanced binary search tree. = Looking-up a country code for a given IPv4 address in the BST takes on = average 20 nanoseconds on an AWS-EC2 micro instance. I don't know the = overhead of diverting, though. I guess this may be one or two orders of = magnitudes higher. Even though, I won't see any performance issues. Independent from the actual usage case (geo-blocking), let's talk about = divert filtering in general. The original question which is still = unanswered can be generalized to, whether "dropping/denying" a package = simply means 'forget about it' or whether the divert filter is required = to do something more involved, e.g. communicate the situation somehow to = ipfw. Best regards Rolf=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D047727-F7D0-4BEE-BD42-2501F44C9550>