On Mon, 10 Nov 2008, JC Janos wrote: > What's the basis for choosing between ipset's iphash and iptree set types? > > I'm guessing it's performance, but I'm not understanding the > difference from the man page. The iptree type gives you the ability to add elements to the set together with a timeout value. That's all :-). It's very hard to compare iphash to iptree: the performance and the memory usage depend on the hash parameters and the input data as well. If you use a set to catch attackers, in theory, iptree can be weaker than iphash: by properly generated IP addresses the attacker can make te tree wide and sparse (every branch has got a single sub-branch and that has got a single leaf). The iphash type is robust against such attacks, but in a hash collisions always happen so iphash will have got holes as well. > When to use which? I can give you only generic guidelines: if you want entries to be timed out automatically, without using any external book-keeping, then go with iptree. If you have got a static IP address collection which consists of several (full/not full) different subnets and possibly some other addresses from here and there, then go with iptree again. Otherwise use iphash. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
