From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Dennis Jacobfeuerborn <dennisml@conversis.de>,
netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: [ANNOUNCE] ipset-5.0 released
Date: Sun, 26 Dec 2010 13:47:07 +0000 [thread overview]
Message-ID: <4D17475B.9000909@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1012261125100.9618@blackhole.kfki.hu>
>> OK, does that differ if I have hash:net,port set (I presume when listing with
>> ipset -L you will show the net ranges - 192.168.0.0-192.168.0.0,tcp:80-82), is
>> that right?
>>
>
> For net types the networks are not exploded, of course:
>
> # ipset create test hash:net,port
> # ipset add test 192.168.0.0/30,tcp:80-82
> # ipset list test
> Name: test
> Type: hash:net,port
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 16856
> References: 0
> Members:
> 192.168.0.0/30,tcp:80
> 192.168.0.0/30,tcp:82
> 192.168.0.0/30,tcp:81
>
OK, it is much clearer to me now.
You are expanding the command line port ranges (80-82 in your example
above) to add the underlying elements. Could you not do a similar
arrangement for the protocol as well?
For example, if I execute "ipset add test 192.168.0.0/30,*:80-82" (or
"all" instead of "*" if that is not possible) could you not expand that
to represent the following elements:
192.168.0.0/30,tcp,80
..
192.168.0.0/30,tcp,82
192.168.0.0/30,udp,80
..
192.168.0.0/30,udp,82
It is not a perfect solution by any stretch, but at least it will save
me the hassle, as with the introduction of the port ranges, of executing
the statement twice each time I want to include net and port ranges
without being interested in the protocol match.
As an aside note: since this is a hash set I am assuming that you use
hashes to do the match as hash matching is very fast. I also presume
that is the main reason you expand the port ranges so that you can
calculate the hashes for that particular element and then match it with
the real ip/subnet,protocol,port.
If that is the case how do you match subnets? In other words (using your
example above) how do you match (the calculated hash for)
192.168.0.2,tcp:80 against (the calculated hash for)
192.168.0.0/30,tcp:80 - they, on the face of it, will differ!
> However please note, the "net" types slow down linearly with the number of
> different network prefixes in the set.
>
Is this slowdown more than when I use iptreemap set for example? How
does the new set (hash) performance compares against the 'old'
iptreemap/treemap sets used in 4.x?
next prev parent reply other threads:[~2010-12-26 13:47 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-17 22:26 [ANNOUNCE] ipset-5.0 released Jozsef Kadlecsik
2010-12-17 23:32 ` Jan Engelhardt
2010-12-18 10:40 ` Jozsef Kadlecsik
2010-12-18 7:29 ` Rob Sterenborg (lists)
2010-12-18 11:13 ` Jozsef Kadlecsik
2010-12-18 15:43 ` Jan Engelhardt
2010-12-18 19:50 ` Jozsef Kadlecsik
2010-12-18 21:49 ` Jan Engelhardt
2010-12-19 0:05 ` Jozsef Kadlecsik
2010-12-19 0:28 ` Jan Engelhardt
2010-12-19 5:56 ` Jan Engelhardt
2010-12-19 18:23 ` Rob Sterenborg (lists)
2010-12-21 11:14 ` Rob Sterenborg (lists)
2010-12-21 14:03 ` Jozsef Kadlecsik
2010-12-18 14:22 ` Mr Dash Four
2010-12-18 20:23 ` Jozsef Kadlecsik
2010-12-18 21:51 ` Mr Dash Four
2010-12-18 22:10 ` Jan Engelhardt
2010-12-18 22:23 ` Mr Dash Four
2010-12-19 0:34 ` Jozsef Kadlecsik
2010-12-19 13:52 ` Mr Dash Four
2010-12-19 15:20 ` Dennis Jacobfeuerborn
2010-12-19 17:04 ` Mr Dash Four
2010-12-22 10:59 ` Jozsef Kadlecsik
2010-12-22 12:48 ` Mr Dash Four
2010-12-23 15:39 ` Jozsef Kadlecsik
2010-12-23 17:50 ` Mr Dash Four
2010-12-23 17:55 ` David Miller
2010-12-23 18:00 ` Mr Dash Four
2010-12-23 18:06 ` David Miller
2010-12-23 18:10 ` Mr Dash Four
2010-12-23 19:35 ` Jozsef Kadlecsik
2010-12-23 22:23 ` Mr Dash Four
2010-12-23 22:46 ` Jozsef Kadlecsik
2010-12-23 22:56 ` Jozsef Kadlecsik
2010-12-23 23:06 ` Mr Dash Four
2010-12-26 10:30 ` Jozsef Kadlecsik
2010-12-26 13:47 ` Mr Dash Four [this message]
2010-12-26 20:09 ` Jozsef Kadlecsik
2010-12-26 21:44 ` Mr Dash Four
2010-12-27 14:49 ` Jozsef Kadlecsik
2010-12-27 16:23 ` Mr Dash Four
2010-12-27 18:20 ` Jozsef Kadlecsik
2010-12-27 18:52 ` Mr Dash Four
2010-12-28 19:26 ` Jozsef Kadlecsik
2010-12-23 23:03 ` Mr Dash Four
2010-12-26 10:32 ` Jozsef Kadlecsik
2010-12-23 21:51 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D17475B.9000909@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=dennisml@conversis.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).