1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Country Blocking - geoip module vs ipset module

Discussion in 'Tomato Firmware' started by jerrm, Aug 5, 2013.

  1. jerrm

    jerrm Network Guru Member

    Now that Shibby has ipset support, does anyone know of a reason not to use ipset instead of the geoip module?

    Does anyone know of any scripts to build the geoip database using only stock tomato scripting tools to replace the csv2bin executable? Rewriting the C code to awk might be feasible, but I don't have the time to commit.

    I can generate ipset network lists from either ipdeny.com or maxmind.com data with stock tools, no need for other compiled executables, but at present I think ipset is a shibby-only option.
     
  2. jerrm

    jerrm Network Guru Member

    Giving a single bump. Any opinions?
     
  3. kthaddock

    kthaddock Network Guru Member

    shibby20 likes this.
  4. jerrm

    jerrm Network Guru Member

    Nice find, good to know stock ASUS (or at least Merlin) does ipset too.

    Right now I am leaning toward ipsets using the maxmind.com geolite database.

    With the ipset module I can do the data conversion on the router with about 3.5K of scripts (fully start/stop/update/cron enabled), which is nvram storable.

    The geoip module, as far as I can find so far, requires the csv2bin executable to convert the data. I have compiled csv2bin to run on the router, but it is about 17K + 2.5K or so of scripts.

    Testing shows comparable performance and identical blocking results.
     
  5. RMerlin

    RMerlin Network Guru Member

    ipset is something that I added, it's not included in the stock FW.

    I would suspect that ipset is more efficient, but I admit I never ran any benchmark to confirm it.
     
  6. jerrm

    jerrm Network Guru Member

    Yeah, just saw in git it was from your branch. Many Thanks!

    My performance testing has not been extensive, but neither has any real impact on overall performance at my traffic levels, therefor either is acceptable.

    The geoip module appears a little more memory efficient if loading larger blocklists. With a largish 15 country list, ipset appears to use 900K more memory according to the status page.
     

Share This Page