Once upon a time, Stephen John Smoogen smooge@gmail.com said:
It will because it is a linear list that every packet has to be 'judged' against. Even if you break it down to 2 or 3 trees it will still take a while.
Putting them in ipset would be much better performance (uses hash, so not a linear search). It also makes for a much more readable and manageable firewall config. I use ipsets for most everything these days, even where there are just a few IPs/networks involved. However...
Any list of ip addresses is going to be outdated by a year because of how ranges are so dynamic these days. Most 'bad-guys' can jump around a couple hundred thousand or million ip addresses without much cost on their part and can get new ranges to screw around weekly.
Yeah, it's going to be a useless list. If you want to protect services, then short-term blocking like fail2ban is okay - better is to just allow your "known good" sources and not try to block things bit by bit.