From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: ipblacklist V2 Date: Tue, 01 Mar 2022 13:13:22 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4997773554663184481==" List-Id: --===============4997773554663184481== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Stefan, Thank you for diving into this. As you will all have seen, Stefan and Peter have recently migrated things awa= y from xt_geoip and used ipset which is also being used for the blocklists. I= t would be great to combine all the code so that we have to maintain as littl= e as possible. On that note, something that I didn=E2=80=99t bring up yet, but which should = probably be raised is that =E2=80=9Cblacklist=E2=80=9D is probably not a good= name any more in 2022. We use that term in many other places and didn=E2=80= =99t change it yet, however, I would like to lead with a good example and add= new code only under the more current names. I don=E2=80=99t have the intenti= on to change the existing places myself, but I would be happy to accept a pat= ch just so that we are consistent. I also believe that =E2=80=9Cblocklist=E2= =80=9D and =E2=80=9Callowlist=E2=80=9D describe the whole functionality much = better than black and white. I am not sure whether it is a good idea to rename everything rather sooner or= at the end of the development process. Frankly it doesn=E2=80=99t matter, bu= t it would be cool if the patchset put forward for merging into next would ha= ve this change. On top of that I have a number of random things we would need to consider: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/kernel/kernel.= config.x86_64-ipfire;hb=3D6e2c8f48182c169edb177526d7f639b0631d57cc#l1272 > CONFIG_IP_SET_MAX=3D256 This is the maximum number of ipsets the kernel is able to load at a time. Ar= e we in any danger that we might hit this limit? If some (and yes, they shoul= dn=E2=80=99t, but the bloody do) enables all countries on the location filter= that brings them already to 260. I would say that we should potentially rais= e this to 1024 or 2048 depending on how many people might make a lot of use o= f the AS block feature when that arrives. I also stumbled over the hash size parameter. Stefan reported that the new DR= OP HOSTILE feature is slowing down his network, which is quite likely happeni= ng because of us hardcoding the hash size to 1024 (which is also the default = for ipset). Investigating any further, and testing a little bit around with memory overhe= ad, I rewrite this in libloc: https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dcommitdiff;h=3D47de14b0= 1a0fae69994131e4fb9239738570ab38 We are now counting the networks that we export (which is a little bit compli= cated, but doesn=E2=80=99t matter in this context) and then calculate the cor= rect hash size with a factor. Choosing that factor is now the hard part and I= have decided to start with 0.75. That means that we will definitely waste so= me memory, but we will hopefully not have to perform any linked list search w= hatsoever. Maybe this will need some adjustment, but it looks good to me. See= the comment message for more details. In IP blocklist, we have a factor of one which we potentially might want to l= ook at as well, since those lists will be hit a lot. Has anyone conducted any= benchmarks already? -Michael > On 28 Feb 2022, at 19:32, Stefan Schantl wrot= e: >=20 > Hello Rob, Hello Tim, Hello *, >=20 > as anounced on this list, I'm currently working on getting the > ipblacklist feature as a core component into IPFire. >=20 > I already had a look on the code, which looks nice and very clean to > me. As I'm currently also working on getting all ipset related set > stuff and rule creation under one hood, this perfectly fits to this. >=20 > So my idea to put the ipblacklist feature over the line, was to split > some parts of the ipblacklist "main script" (especially the ipset and > iptables related stuff) into the perl-based script which is responsible > for iptables rule creation. >=20 > In this case some other parts of the script (which where necessary in > the past, because ipblacklist initial has been designed as an addon) > also can be stipped. >=20 > Affected parts for example would be the "start", "stop", "enable" and > "disable" code, which is not longer required and therefore safely can > be dropped. >=20 > In the very end the main task for the script would be to download, > update, convert and store the blacklists into an ipset compatible > format. >=20 > Apart from this, I currently do not see any bigger changes for the WUI > related stuff. >=20 > @Tim: I hope these changes are okay for you. >=20 > Getting started, I noticed, that there currently are two git > repositories available, which contain the source for ipblacklist. >=20 > There is the origin one from Tim and a slightly modified (fixed) v3 > version from Rob. I' currently trying to determine, which one would be > the best to start from - are there any deeper changes/differences > between them? >=20 > Please feel free to ask any kind of questions or share you opinion. As > usual, I'll share any progress here. >=20 > Best regards, >=20 > -Stefan=20 >> Hi. >>=20 >> I have been looking at Tim FitzGeorge's code for ipblacklist v2 on=20 >> https://patchwork.ipfire.org/project/ipfire/list/?series=3D1215 to see >> if I=20 >> can help progress its incorporation into IPFire. >> After I extracted the programs from Patchwork I have been able to >> build them=20 >> into my firewall where they are running very successfully. >> The code on the server seems to be in good shape and apart from a few >> small=20 >> patches and additions of a few missing scripts I think it could be=20 >> successfully introduced into the IPFire code base. >> I am more than happy to help in seeing this process carried out but >> need to=20 >> know if this is acceptable to yourselves. >>=20 >> Regards >> Rob Brewer >=20 >=20 --===============4997773554663184481==--