Date: Fri, 29 Jul 2016 05:53:58 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <1E1DB7E0-D354-4D7A-B657-0ECF94C12CE0@obsigna.com> In-Reply-To: <CAFPNf59w6BHgDjLNHW=rQckZAFG4gqPHL49vLXiDmMAxVPOcKg@mail.gmail.com> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7@obsigna.com> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> <CAFPNf59w6BHgDjLNHW=rQckZAFG4gqPHL49vLXiDmMAxVPOcKg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 28.07.2016 um 23:48 schrieb Lee Brown <leeb@ratnaling.org>: >=20 > That makes sense to me. Your /20 range encompasses 201.222.16.0 - > 201.222.31.255. > If you want 201.222.20.0-201.222.31.255, you'll need 3 ranges: >=20 > 201.222.20.0/22 (201.222.20.0-201.222.23.255) > 201.222.24.0/22 (201.222.24.0-201.222.27.255) > 201.222.28.0/22 (201.222.28.0-201.222.31.255) Ian, Julian and Lee, Thank you vary much for your responses. In order not bloat the thread, I = answer only to one message. I found the problem. As a matter of fact, the respective IP ranges in = the LACNIC delegation statistics file are 3 adjacent blocks with 1024 = addresses, i.e. those that you listed in your message above: $grep 201.222.2 /usr/local/etc/ipdb/IPRanges/lacnic.dat lacnic|BR|ipv4|201.222.20.0|1024|20140710|allocated|164725 lacnic|BR|ipv4|201.222.24.0|1024|20140630|allocated|138376 lacnic|BR|ipv4|201.222.28.0|1024|20140701|allocated|129095 However, my database compilation combines adjacent blocks with the same = country code, and the ranges above turn into one block of 3072 = addresses, which obviously doesn't have a valid netmask - log(3072) =3D = 11,5849625. My divert filter daemon is agnostic about this, because the = exact ranges are stored in the database and for the purpose of country = code lookup the address lookup routine doesn't need to work with = netmasks. I choose it this way, because I read some RIR documentation = stating that delegated address blocks are not necessarily complete CIDR = ranges. Even if the above ranges conform to CIDR, future delegations may = be different, and I wanted to stay on the safe side. So far so good. Now, the actual problem with ipfw tables in the given = context is that explicit IP ranges are not accepted but ranges must be = given in CIDR notation, and I simply forgot about the tiny detail that = CIDR is inherently granular, and that this may of course conflict with = my CC/IP database optimization strategy. Without combining adjacencies, = the complete database has 165815 instead of 83274 records. Perhaps, I = add an option to the db tool for CIDR conformity. In this respect, it is = not sufficient to forget about optimization but I need to check also = whether, the delegation files contain already some non-CIDR ranges, = which needs to be broken down. Best regards Rolf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1E1DB7E0-D354-4D7A-B657-0ECF94C12CE0>