3

I would like to ask you what is faster in term of performance GeoIP or IPset.

Let me explain, imagine that I have rule:

iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP

And imagine that I have IPset of hash:net and I put all these IPs (from US, UK and CA) into hash:net country_whitelist set.

iptables -A INPUT -m set --match-set country_whitelist src -j ACCEPT

What is faster? GeoIP or IPset? We know that IPset is fast because it uses hash table (for hashes), but I don't know how does GeoIP work, if it isn't like 1 subnet for 1 rule.

tomsk
  • 257
  • 4
  • 18
  • 1
    The iptables geoip extension requires a third party kernel module which may or may not even be available on any given system. But ipset is part of the kernel. It doesn't matter which is faster if you have no access to third party kernel modules. – Michael Hampton Sep 07 '18 at 11:53
  • @MichaelHampton I have access to that third party kernel module. – tomsk Sep 07 '18 at 11:54

0 Answers0