[Bug 1687] Define set of set with in ipset list:sets
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue Jun 13 11:42:41 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1687
--- Comment #5 from Phil Sutter <phil at nwl.cc> ---
(In reply to wcts from comment #4)
> In terms of performance, does it make a difference to use an anonymous or
> named list? I ask this because there is a list of a single country with more
> than 20,000 IP blocks.
Anonymous *sets* as used in a rule like, e.g. 'ip saddr { 1.1.1.1, 2.2.2.2 }'
are implemented internally exactly identical to named sets. The only difference
is they are dropped along with the rule using them, and users have no means of
changing them (obviously).
The kernel chooses a set backend based on different aspects, set size is one of
them. With named sets, one may specify a max size and with anonymous sets the
size is fixed (and known). A small anonymous set may therefore utilize a faster
data structure than a small named one which doesn't specify a max size.
Just for clarification as I'm not sure where to pick you up:
Pablo's example makes use of defines which resolve in user space (i.e., when
parsing input. The three sets FR, MC and CH he defines merge into the geoip
named set before the whole thing is applied in kernel space, creating a single
set containing all the elements.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230613/0a577c4d/attachment.html>
More information about the netfilter-buglog
mailing list