performance block countries using iptables /netfilter

view story

http://serverfault.com – It's easy to block IPs from country using iptables (e.g. like http://www.cyberciti.biz/faq/block-entier-country-using-iptables/). However I read that the performance can go down if the deny list get too large. An alternative is installing the iptables geoip patch or using ipset ( http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu...) instead of iptables. Does anyone have experience with the various approaches and can say something about the performance differences ? Are there are other ways to block country IPs in linux which I did't men (HowTos)