Re: [ANNOUNCE] ipset-5.0 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 23 Dec 2010, Mr Dash Four wrote:

> > > > The implementation behind ipset looks up the  (ipaddr, proto, port)
> > > > triple
> > > > in one step. Such packing don't work there.
> > > >         
> > > If that's the case how do you lookup IP address and port ranges then?
> > >     
> > 
> > IP address and port ranges are exploded and the elements are inserted
> > one-by-one. And the exploded ranges are *not* converted back to ranges when
> > listing/saving the sets. At the bitmap types the ranges could be converted
> > back (not done yet), at the hash types it's not possible.
> >   
> If I understand you correctly, if I define hash:net,proto,port ipset and add a
> single element to it - 10.1.1.0/30,udp,80-83 - that translates (in primitive
> terms) to:
> 
> 10.1.1.0,udp,80
> 10.1.1.0,udp,81
> ...
> 10.1.1.0,udp,83
> 10.1.1.1,udp,80
> ...
> 10.1.1.1,udp,83
> ...
> ...
> 10.1.1.3,udp,83

No, "net" types are not exploded in the terms of networks.
 
> One other question - if I insert the above element in the set what is shown
> when I execute ipset -L: "10.1.1.0-10.1.1.3,udp,80-83" or the various
> permutations I listed above?

The protocol does not allow to list a subset of the elements in a set. 
Just the whole set can be listed.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux