- 07 Mar, 2022 1 commit
-
-
Michael Tremer authored
Signed-off-by:Michael Tremer <michael.tremer@ipfire.org>
-
- 06 Mar, 2022 4 commits
-
-
Michael Tremer authored
Formerly, we did not allow creating special networks like ::1/128, ::/0, 127.0.0.0/8, and so on. In order to represent all bogons, we will have to allow this. Signed-off-by: -
Michael Tremer authored
The former algorithm did a lot of trial and error which is slow and probably returned wrong results. This one determines the correct prefix size quickly. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by:
-
- 05 Mar, 2022 7 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This patch adds code to parse any aggregated networks. Bird does not automatically show the last ASN of the path, but we can collect all networks that we can see without any ASN and perform "show route <network> all" on them to gather this information. Signed-off-by:
-
- 03 Mar, 2022 3 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This patch moves creating the "tag" (formerly known as prefix) into the writer class, so that we can modify it based on what output format we have. ipset and nftables will need disjunct names for IPv6 and IPv4 because they cannot handle mixed sets. Signed-off-by: -
Michael Tremer authored
It is possible to filter for what kind of network should be exported. This worked well when the filter list only contained country codes, or when it only contained ASNs. If there was a mix, only networks that match both (i.e. virtually nothing) matched. This patch fixes that we will use for either of them. Signed-off-by:
-
- 02 Mar, 2022 6 commits
-
-
Peter Müller authored
My fault, again. :-/ Reported-by:
Peter Müller <peter.mueller@ipfire.org> Signed-off-by:
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This is useful if you want to pipe output straight into another program. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
By default, we enabled flattening of the network tree when we export it. However, this is only required for xt_geoip since the other formats can deal with overlapping networks and would even benefit from a shorter list. Therefore this is now only enabled when needed which results in shorter export times (9 seconds instead of 2.5 minutes) and the full ipset is about 20% smaller when loaded into memory than before. Signed-off-by: -
Michael Tremer authored
When we try to load a changed set which might have more entries, a previous maxelem could have been smaller preventing us from adding new entries. We also cannot run the "create" command with a changed maxelem parameter which is why this patch set the value to something that should be large enough for everything. The downside of this is also, that we cannot modify the hashsize when we reload a set, which is probably okay, since sets should not change too much in size and therefore will only run *slightly* less efficient - if at all. Signed-off-by:
-
- 01 Mar, 2022 2 commits
-
-
Michael Tremer authored
IPv6 exports could not be loaded because sets were created as type "inet" instead of "inet6" which is fixed by this patch. Signed-off-by: -
Michael Tremer authored
ipset uses a hash table internally which can be dynamically sized to chose whether more space efficiency or performance is required. Previously to this patch, we always set the size of the hash table to 1024 buckets. Having large sets with almost half a million entries, this is not performing well since we will spend a lot of time in searching the linked list. This will probably perform even slower on systems with smaller cache sizes like the IPFire Mini Appliance. Having more buckets that are sparesely filled, will result in less memory fetches at the cost of more wastage. Throughout the whole IPv4 set, this ranges from about 50 MB for a factor of 4, to about 100 MB for a factor of 0.75. Since memory of this quantity is cheap and since we want to increase throughput, I have chosen to set the fill factor to 0.75. Logistically, it is a little bit complicated to know this in advance when we have to write the header, so we will write the entire file first, and then come back to write the header again. This is required to keep memory consumption down during the export. Signed-off-by:
-
- 25 Feb, 2022 1 commit
-
-
Stefan Schantl authored
Signed-off-by:
Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by:
-
- 16 Feb, 2022 1 commit
-
-
Michael Tremer authored
Signed-off-by:
-
- 11 Feb, 2022 3 commits
-
-
Michael Tremer authored
This change allows to "restore" a file multiple times without problems. If the set already exists, the create command will skip it and we will flush any existing content to load the new one. Signed-off-by:
-
Peter Müller authored
Suggested-by:
-
Peter Müller authored
Reported-by:
-
- 02 Jan, 2022 4 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This isn't pretty but makes substitution rules easier and working correctly. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by:
-
- 13 Dec, 2021 4 commits
-
-
Peter Müller authored
Apparently, LACNIC does not to proper input validation on supplied country codes, so people can use "UK", while they probably mean "GB" instead. Signed-off-by:
-
Peter Müller authored
This silences a bunch of warnings due to allocations at APNIC having country code set to "ZZ", which are completely irrelevant to us. Signed-off-by:
-
Peter Müller authored
This improves country code accurarcy for suballocations within IP space managed by LACNIC, as the delegated-extended-latest file only provides country code information at the top level of an allocated network. Sadly, lacnic.db.gz does not contain descriptions or names of Autonomous Systems within the space maintained by LACNIC. Signed-off-by:
-
Peter Müller authored
Previously, any present override for a given network or ASN would have caused the SQL statement not to conduct anything at all. Since "is_drop" is the only flag being actually set here, it makes sense to do so in case of already present overrides as well. The effect of this is limited: Our own override files are always considered at last, so in case of conflicts they will be the ultima ratio. This is an intended behaviour, but slipped my mind when I filed bug #12728, so this patch can only be seen as a partial solution - the rest is not a bug, but a feature. :-) Partially fixes: #12728 Signed-off-by:
-
- 23 Nov, 2021 3 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This reverts commit 2ca0603f. Signed-off-by:
-
- 20 Nov, 2021 1 commit
-
-
Michael Tremer authored
Signed-off-by:
-
