> Nice, thanks for testing this!
OK, I've had a bit more time to test this, though I am far from finished, but decided to stop at this stage as I found quite a few nasties. So far, I came across the following bugs:
1. ipset bug - "ipset --help" produces multiples of hash:ip,port,net, hash:net,iface, hash:net,port & hash:net. Executing "ipset --help" gives me this:
Supported set types:
list:set
hash:ip,port,net
hash:ip,port,net
hash:ip,port,net
hash:ip,port,ip
hash:ip,port
hash:net,iface
hash:net,iface
hash:net,port
hash:net,port
hash:net,port
hash:net
hash:net
hash:net
hash:ip
bitmap:port
bitmap:ip,mac
bitmap:ip
2. tc ematch bug
tc filter add dev ifb0 protocol ip parent f:0 prio 10\
basic match (ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 src,dst)') and ipset'(set4 src,src)'\
flowid f:38
produces the following error: syntax error near unexpected token `('
According to the help text though (see "Example" below), the above syntax should be fine:
Usage: EXPR
where: EXPR := TERM [ { and | or } EXPR ]
TERM := [ not ] { MATCH | '(' EXPR ')' }
MATCH := module '(' ARGS ')'
ARGS := ARG1 ARG2 ...
Example: a(x y) and not (b(x) or c(x y z))
Am I missing something?
3. Numerous tc ematch ipset bugs:
3.1. bitmap:port can't produce any matches
ipset n b_test-port bitmap:port range 22-22 timeout 0
ipset a b_test-port 22
tc filter add dev ifb0 protocol ip parent f:0 prio 14\
basic match ipset'(b_test-port src)'\
flowid f:26
produces no matches. This is also true when port match is present in an "and" | "or" logical expression, like ipset'(b_ssh-host src)' and ipset'(b_ssh-port src)'
3.2. hash:ip,port produces no matches:
ipset n h_test-hosts hash:ip,port family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.7,tcp:22
tc filter add dev ifb0 protocol ip parent f:0 prio 21\
basic match ipset'(h_test-hosts src,src)'\
flowid f:33
produces no matches.
3.3. hash:net,port produces no matches
ipset n h_test-hosts hash:net,port family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.1/24,tcp:22
tc filter add dev ifb0 protocol ip parent f:0 prio 22\
basic match ipset'(h_test-hosts src,src)'\
flowid f:34
produces no matches.
3.4. hash:ip,port,ip produces no matches
ipset n h_test-hosts hash:ip,port,ip family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.7,tcp:22,10.1.1.2
tc filter add dev ifb0 protocol ip parent f:0 prio 23\
basic match ipset'(h_test-hosts src,src,dst)'\
flowid f:35
produces no matches.
3.5. hash:ip,port,net produces no matches
ipset n h_test-hosts hash:ip,port,net family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.2,tcp:22,10.1.1.1/24
tc filter add dev ifb0 protocol ip parent f:0 prio 23\
basic match ipset'(h_test-hosts dst,src,src)'\
flowid f:36
produces no matches.
3.6. hash:net,iface produces no matches
ipset n h_test-hosts hash:net,iface family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.1/24,eth0
tc filter add dev ifb0 protocol ip parent f:0 prio 25\
basic match ipset'(h_test-hosts src,dst)'\
flowid f:37
produces no matches.
It looks as though port matching is non-existent and so is multi-dimensional ipset matching - I wasn't able to produce a single match by using either ports or ipsets with multiple dimensions. That's it for now - let me know if you need any more info from me. I hope the above could be fixed...
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
