Conversation
Notices
-
@p @sjw @i @admin @not_br549 @parker @graf @john_rando @verita84 @Moon Is it?
https://ipset.netfilter.org/
>IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
Sure, when you're just blocking a bunch of addresses/subnets, you might get away with creating separate rules for them, but when the count is in thousands, I think it's better to make a single match-all rule.
- Machismo repeated this.
-
@mint @sjw @admin @p @not_br549 @parker @graf @john_rando @verita84 @Moon yeah it's still in the kernel even if you don't have the userspace tools for it, same as iptables itself now being an abstraction over nftables
-
@mint @Moon @admin @graf @i @john_rando @not_br549 @parker @sjw @verita84
> Is it?
It's a separate source tarball from iptables, a separate package in both CRUX and Slackware. They may talk to a standard kernel interface but it is a different (if related) project.
> when you're just blocking a bunch of addresses/subnets, you might get away with creating separate rules for them, but when the count is in thousands, I think it's better to make a single match-all rule.
Yeah, it seems like it'd be useful to be able to make several rules; the blocks of IPs are not well organized on these systems. I have a pile of scripts that add/remove rules, it seems like it'd be simpler to rework them so that they add/remove IPs from sets.
:blank:
pistolero :thispersondoesnotexist:
All 076萌SNS content and data are available under the