On 11/04/2010 11:55 PM, Stan Hoeppner wrote:
What's the CIDR lookup table performance difference between say 256 /32
entries and a single /24 entry? Is it 256:1? Or, how about 90,000 /32
entries vs 60,000 entries that consolidate many of those 90,000 /32s
into larger CIDRs such as /24s and /21s etc? I have no idea what the
total processing time would be on such size CIDRs. Is it small enough
to be irrelevant, or are we looking at something like multiple seconds
per lookup (obviously dependent on hardware)?
Thanks.
From util/cidr_match.c:
/* cidr_match_execute - match address against compiled CIDR pattern list */
CIDR_MATCH *cidr_match_execute(CIDR_MATCH *list, const char *addr)
{
<snip>
for (entry = list; entry; entry = entry->next) {
Each map is a linked list of CIDR patterns, so consolidate as much as
possible - 100000 single IPs will cause noticable delays when the last
entry matches!
I would also consider using multiple CIDR maps in an alternating fashion
- whitelist large ranges, then examine smaller ranges that must be
excluded individually, with a different list.
And always, definitely, list the largest ranges first.
--
J.
