ipset set types are really fast. It's hard to say, which is faster: the rules
iptables -A testhash -m set --set testhash src -j LOG iptables -A testhash -m set --set testhash src -j DROP
or
iptables -N logdrop iptables -A logdrop -j LOG iptables -A logdrop -j DROP iptables -A testhash -m set --set testhash src -j logdrop
In the first case there is an additional set lookup, in the second case there are four [six]) additional "wildcard" builtin matches (src, dst, inface, outface, [proto, frag]) and one jump.
Probably the latter one is a teeny bit faster with a few cycles: hash key computations are just more expensive operations than simple matches.
One additional advantage of using the latter method is that if you ever decide that you want to do limit matching on the LOG target (to prevent filling the logs for duplicate connect attempts) you could easily add additional entries to the logdrop chain and not have to introduce any additional hash processing as you would if you used the first method. Think of jumping to a new chain as sort of like a subroutine in your favorite programming language.
Grant. . . .
