On Thu, 23 Dec 2010, Mr Dash Four wrote: > > > > The implementation behind ipset looks up the (ipaddr, proto, port) > > > > triple > > > > in one step. Such packing don't work there. > > > > > > > If that's the case how do you lookup IP address and port ranges then? > > > > > > > IP address and port ranges are exploded and the elements are inserted > > one-by-one. And the exploded ranges are *not* converted back to ranges when > > listing/saving the sets. At the bitmap types the ranges could be converted > > back (not done yet), at the hash types it's not possible. > > > If I understand you correctly, if I define hash:net,proto,port ipset and add a > single element to it - 10.1.1.0/30,udp,80-83 - that translates (in primitive > terms) to: > > 10.1.1.0,udp,80 > 10.1.1.0,udp,81 > ... > 10.1.1.0,udp,83 > 10.1.1.1,udp,80 > ... > 10.1.1.1,udp,83 > ... > ... > 10.1.1.3,udp,83 No, "net" types are not exploded in the terms of networks. > One other question - if I insert the above element in the set what is shown > when I execute ipset -L: "10.1.1.0-10.1.1.3,udp,80-83" or the various > permutations I listed above? The protocol does not allow to list a subset of the elements in a set. Just the whole set can be listed. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html