I don't completely understand you: the bitmap:port type already supports
adding/deleting port ranges. Could you write a full example?
OK, here goes (*full* example using bash script):- Suppose that I need
to define a pair of IP subnets with two range of ports -
223.240.0.0/13:1-1024 and 223.248.13.0/24:8000-16000 - and include them
in one set. In 4.x that will only be possible by using the following
shell script (9 subsets as 4.x ipporthash construct accepts only /16
subnets):
=======4.x===============
#!/bin/sh
cn_base_set='blacklisted-cn-240-special'
# initialise the new sets
for (( _i=0; _i < 8; _i++ )); do
# - split in 8 subsets as 4.x can't have more than /16 (B-class) subnets
in ipporthash constructs
ipset -N $cn_base_set$_i ipporthash --network 223.24$_i.0.0/16
done
ipset -N blacklisted-cn-248-selected ipporthash --network 223.248.13.0/24
for (( _i=1; _i <= 1024; _i++ )); do
# 1'st loop - low port ranges
for (( _j=0; _j < 8; _j++ )); do
# 2nd loop -24x /16 subnets
ipset -A blacklisted-cn-240-special$_j 223.24$_j.0.0/16,$_i
done
done
for (( _i=8000; _i <= 16000; _i++ )); do
# 2nd set - selected (8k-16k) port ranges
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,$_i
done
=========================
The above script will create 9 sets of type ipporthash:
blacklisted-cn-240-special0 ... blacklisted-cn-240-special7 and
blacklisted-cn-248-selected and then add the port ranges in the
following manner:
ipset -A blacklisted-cn-240-special0 223.240.0.0/16,1
ipset -A blacklisted-cn-240-special1 223.241.0.0/16,1
...
ipset -A blacklisted-cn-240-special7 223.247.0.0/16,1
...
...
ipset -A blacklisted-cn-240-special7 223.247.0.0/16,1024
and then (last loop):
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,8000
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,8001
...
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,16000
In 5.x-pre10 the above job would be a bit easier as I understand there
is no limit on the size of the network (i.e. I am no longer constrained
by B-class subnet):
=======5.x-pre10===============
#!/bin/sh
# initialise the new combined set
ipset -N blacklisted-cn-combined hash:ip,port
for (( _i=1; _i <= 1024; _i++ )); do
# 1'st loop - low port ranges
ipset add blacklisted-cn-combined 223.240.0.0/13,$_i
done
for (( _i=8000; _i <= 16000; _i++ )); do
# 2nd set - selected (8k-16k) port ranges
ipset add blacklisted-cn-combined 223.248.13.0/24,$_i
done
=========================
The above scripts will execute at least 9024 "ipset -A/add" statements!
It would be more convenient if I could do this in 5.x:
ipset -N blacklisted-cn-combined hash:ip,port
ipset -A blacklisted-cn-combined 223.240.0.0/13,1-1024
ipset -A blacklisted-cn-combined 223.248.13.0/24,8000-16000
Just 3 statements - much simpler and I won't bother with any loops!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html