<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Define set of set with in ipset list:sets"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1687#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Define set of set with in ipset list:sets"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1687">bug 1687</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>(In reply to wcts from <a href="show_bug.cgi?id=1687#c4">comment #4</a>)
<span class="quote">> In terms of performance, does it make a difference to use an anonymous or
> named list? I ask this because there is a list of a single country with more
> than 20,000 IP blocks.</span >
Anonymous *sets* as used in a rule like, e.g. 'ip saddr { 1.1.1.1, 2.2.2.2 }'
are implemented internally exactly identical to named sets. The only difference
is they are dropped along with the rule using them, and users have no means of
changing them (obviously).
The kernel chooses a set backend based on different aspects, set size is one of
them. With named sets, one may specify a max size and with anonymous sets the
size is fixed (and known). A small anonymous set may therefore utilize a faster
data structure than a small named one which doesn't specify a max size.
Just for clarification as I'm not sure where to pick you up:
Pablo's example makes use of defines which resolve in user space (i.e., when
parsing input. The three sets FR, MC and CH he defines merge into the geoip
named set before the whole thing is applied in kernel space, creating a single
set containing all the elements.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>