On Ma, 14 iul 20, 07:11:39, Dan Ritter wrote: > Andrei POPESCU wrote: > > On Lu, 13 iul 20, 18:41:39, Ross Boylan wrote: > > > > > > The interface has a pre-up script that has over 1,000 iptables add lines > > > for blacklists, and I suspect this is slowing things down enough to cause > > > trouble. I was not having problems when the script was shorter. > > > > P.S. as far as I understand nftables should handle these much better > > than iptables. May or may not help with your actual problem. > > iptables is currently a frontend to nftables. > > The way to handle a giant blocklist efficiently is ipset, which manipulates > large groups of IPs that will be matched for a particular rule.
Disclaimer: I'm not an expert on either iptables or nftables, this is just based on some documentation I read. As far as I understand, while iptables (in buster) is indeed a frontend to nftables, nftables has new features that are not usable with iptables syntax. https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables In particular regarding ipset, this page suggests manual translation is necessary: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature