<?xml version="1.0" encoding='ISO-8859-1'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [

<!-- Include general documentation entities -->
<!ENTITY % docentities SYSTEM "../../../docbook/entities.xml">
%docentities;

]>
<!-- Module Developer's Guide -->

<chapter>
    
    <title>&develguide;</title>
    <para>
	One single tree (for both IPv4 and IPv6) is used. Each node contains a byte, the &ip;
	addresses stretching from root to the leafs.
    </para>
    <example>
	<title>Tree of &ip; addresses</title>
	<programlisting format="linespecific">
	   / 193 - 175 - 132 - 164
tree root /                  \ 142
	  \ 195 - 37 - 78 - 163
	   \ 79 - 134
</programlisting>
	</example>
    <para>
	To detect the whole address, step by step, from the root to the leafs, the nodes corresponding
	to each byte of the ip address are expanded. In order to be expended a node has to be hit
	for a given number of times (possible by different addresses; in the previous example, the
	node <quote>37</quote> was expended by the 195.37.78.163 and 195.37.79.134 hits).
    </para>
    <para>
	For 193.175.132.164 with x= reqs_density_per_unit:
    </para>
    <itemizedlist>
	<listitem>
	    <para>
		After first req hits -> the <quote>193</quote> node is built.
	    </para>
	</listitem>
	<listitem>
	    <para>
		After x more hits, the <quote>175</quote> node is build; the hits of
		<quote>193</quote> node are split between itself and its child--both of them gone
		have x/2.
	    </para>
	</listitem>
	<listitem>
	    <para>
		And so on for node <quote>132</quote> and <quote>164</quote>.
	    </para>
	</listitem>
	<listitem>
	    <para>
		Once <quote>164</quote> build the entire address can be found in the
		tree. <quote>164</quote> becomes a leaf. After it will be hit as a leaf for x
		times, it will become <quote>RED</quote> (further request from this address will
		be blocked).
	    </para>
	</listitem>
    </itemizedlist>
    <para>
	So, to build and block this address were needed 3*x hits. Now, if reqs start coming from
	193.175.132.142, the first 3 bytes are already in the tree (they are shared with the previous
	address), so I will need only x hits (to build node <quote>142</quote> and to make it
	<quote>RED</quote>) to make this address also to be blocked.  This is the reason for the
	variable number of hits necessary to block an &ip;.
    </para>
    <para>
	The maximum number of hits to turn an address red are (n is the address's number of bytes):
    </para>
    <para>
	1 (first byte) + x (second byte) + (x / 2) * (n - 2) (for the rest of the bytes) + (n - 1)
	(to turn the node to red).
    </para>
    <para>
	So, for IPv4 (n = 4) will be 3x and for IPv6 (n = 16) will be 9x. The minimum number of hits
	to turn an address red is x.
    </para>
</chapter>