I thought to myself, “here has to be a better way.” And, of course… there is. Here’s how.

The trick to speeding up lookups in a huge list is to not just search the whole list. Hashes and trees are commonly used, but iptables doesn’t really have either by default. It has a few small hashes, but they can only store single IPs. The collected Bluetack blocklist is some 2.2 billion IPs; if they’re entered individually this might cause some memory issues.

But there is a handy extension which works very nicely for this, IPSet. You can download it from http://ipset.netfilter.org/install.html. It installed and loaded with no problems or kernel recompiles or anything ugly like that on my system.

It has a handy save/restore feature, similar to iptables. So all we need to do is convert a PG list into one of its files.
I wrote a quick program to do just this, dubbed pg2ipset (link fixed now, oops!)
It’s very simple, uses no libraries, so you can compile it with something like gcc -O3 -o pg2ipset pg2ipset.c

One of the things I love about Linux (or UNIX in general) is pipes. So you can do something like this:
curl -L http://www.bluetack.co.uk/config/level1.gz | gunzip -c | pg2ipset - - LEVEL1 | ipset -R
That line will load the level 1 PG blocklist into an IPSet called “LEVEL1″. You can then add iptables rules like this:
iptables -A INPUT -m set --set LEVEL1 src -j DROP
iptables -A FORWARD -m set --set LEVEL1 src -j DROP
iptables -A FORWARD -m set --set LEVEL1 dst -j REJECT
iptables -A OUTPUT -m set --set LEVEL1 dst -j REJECT
This will cause anything a blocked IP sends you to mysteriously vanish as if you weren’t even there, while any of your programs which try to connect to a blocked IP are informed it won’t work. Adjust to your liking, as always; if you have ipt_TARPIT, this would be a great place.

To update the list, you can have a cron job do something like this every day or so:
curl -L http://www.bluetack.co.uk/config/level1.gz | gunzip -c | pg2ipset - - LEVEL1-NEW | ipset -R
ipset -W LEVEL1 LEVEL1-NEW
ipset -X LEVEL1-NEW
This loads the blocklist to “LEVEL1-NEW”, swaps it with “LEVEL1″ once it’s done loading, then deletes the old list, leaving no unprotected gap in the middle.

It’s fairly quick, even on the ancient 800 MHz Pentium III which I use for a router. I haven’t tested it extensively, so if anyone has trouble, please leave a comment and I’ll try to help.

Right from the start, the new installer was nice. Not a command-line thing needing enter hit a dozen times anymore. Once inside, I found it supports hardware 3D acceleration right in the settings now, something only very experimental in previous versions.

But my favourite feature is something they call “Unity”

Full Screen Image

Yep, that’s right. Internet Exploder running in Linux, looking just like it belongs there. No virtualizer window. Not that Internet Exploder is an app I’d actually WANT to run in Linux, but it shows you what it can do. And you aren’t limited to just one virtual machine either, you can have several unified at once, each identified with its own colour.

Unfortunately being a beta it’s forced to run in debug mode, which means it’s HORRIBLY slow. But that’ll be all better once it’s released. Looking forward to it, VMware guys!

These are my results with SLI disabled in the drivers (both cards still in the system):

And these are my results with SLI enabled, no other changes:

As you can see, there’s a HUGE benefit in every area where the 3D card applies, even something as simple as the fill rate tests. I strongly suspect the same applies to ATI’s Crossfire, but I can’t prove it, as I don’t have any of the hardware required.

However, this is the last time I spend over an hour jumping through hoops just to educate someone.

When changing a lightbulb today, I noticed the following written on the package:

Guaranteed to last up to 5 years. But not more than that! In fact, if it doesn’t blow within 5 years, they’ll replace it with one that did, no charge!

For the curious, the bulb in question is a Philips Marathon fluorescent bulb for standard light sockets. The light it makes is fairly good, especially considering it’s only 15W. But we’ll see how long it lasts…

Naturally, someone got all whiny about it — not an actual patient, but the daughter of one — and now everyone’s talking about it. A lot of people are split over this. Relatives and caregivers of people with mental illnesses are upset. Other people think they’re funny.

Those who know me already know this, but I myself have two of the listed illnesses, plus several unlisted ones.

I think they’re great.