If you're really desperate
I am! On all my systems I use ipsets quite extensively (put it this way
- I don't have a single iptables statement with hard-coded ip
addresses/subnets or port numbers) and since I implement traffic shaping
on all of them, every time something changes in the contents of a set,
the system has to sync this change with tc, otherwise the traffic
shaping "policy" won't be that any more.
This syncing process may not seem too difficult, but when you have a
machine with 7 interfaces on it and employ traffic shaping on all of
them it becomes a real pain to keep in sync. Up until now, I sort of
managed to keep things in a reasonable shape (pun intended) with various
hacks, but I am at my wits' end at present.
you could try
http://git.breakpoint.cc/gitweb/?p=fw/nf-next.git;a=shortlog;h=refs/heads/em_ipset_3
userspace counterpart at:
http://git.breakpoint.cc/gitweb/?p=fw/iproute2.git;a=shortlog;h=refs/heads/em_ipset_3
Got it all in, thanks - much appreciated!
Am I seeing this right - the whole ipset tc implementation consists of 3
patches, barely 10k of code in total? Also, am I right in assuming that
in order to build this on older kernels (I am on 3.3) all I have to do
is apply the 3 patches (1 against my kernel and the other 2 against my
current iproute2 implementation)?
But beware. This code is more than 6 months old; I never got around to
actually test it on a live system. Its also bit of a hack since
ip_set_test() assumes its called from netfilter (the ematch passes in a fake
xt_action_param ...)
I've rebased it on the current tree and it should at least compile with recent kernels.
All noted, thanks again! If I manage to build it, I'll give it a
thorough look and test it here. I'll keep you all posted.
I guess if all works well Jozsef might consider changing the ipset
testing function so that the above assumption is no longer.
Its an ematch, so something like
tc filter add dev ifb0 protocol ip parent be:0 prio 10 basic match \
ipset'(foo src)' and ipset'(bar dst)'...
might work for you (or ipset'(foo src,dst)' if you have src/dst pairs in
single set).
The old saying that you learn something new everyday is still valid - up
until I read your response above I didn't know "ematch" ever existed! I
guess by using this, things become a bit more easy.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html