I wonder if anyone can help? I need to put 1,500,000 IP entries into a table. My box is a P3-450 CPU, 1.5G of RAM, 6G IDE HD, 2NIC, Openbsd 3.4 with custom kernel running a bridge with PF. So far works great except when I tried to load a large list of IPs into a PF table.
So far I have managed to load 800,000 IPs into a table when I set nkmempages to 32768. 49152 & 65536 fails to boot with:
Outblaze Ltd. www.outblaze.com
Personally, I think they're nuts for a variety of reasons. But more importantly, I wanted to bring full disclosure to this posting. Namely, if I know for an absolute, certain, indubitable fact that none of my machines have met their 'requirements', why on Earth am I being contacted by them?
Perhaps it's completely innocuous; perhaps not. Now that I'm thinking about it, how many innocent people/servers are being blacklisted by this technique?
Who knows if they're on the level or not. But at the risk of helping some "nuts", there's a really simple technique that can be used to put a table of *ANY* number of IPV4 IPs into this guy's machine. Since he's from Hong Kong it might not help, since he might need IPV6, but here goes anyway.
As someone else recently said: USE THE SOURCE
There are 4,294,967,296 theoretically possible IPV4 addresses. Since allocation can't go past 223.255.255.255, there are only 87% of that number that can exist.
Allocating 1 bit per IP address, a yes/no lookup table can be created in 448 MB of RAM. And that's all that's needed:
1) a program that creates a 448 MB lookup table, 1 bit per IP
2) modification to pf source to do a table lookup into that
table to get a yes/no answer.The lookup then becomes a a trivial operation to code, and runs in constant time (i.e. extremely fast).
I'm also assuming that a single bit of information per IP is all the poster needs, e.g. to make a yes/no decision on whether or not to blacklist an IP.
