2011/5/24 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>: > On Tue, 24 May 2011, Oskar Berggren wrote: > >> Regarding ipsets.... how crazy would it be to add a set type >> containing interface names? > > Usually the number of interfaces are not quite high in a system, so it > does not seem required. I have machines with plenty of vlans. About 700 interfaces in the largest instance currently. That said, I don't have a clear use case for this particular set type currently, but out of curiosity, would it be reasonably doable within the ipset framework? > >> And how crazy would it be to add a set type containing tuples of >> ip-address and interface name? (I.e. the set match would look for ip, >> and match if a tuple with the proper interface is found) > > What is the case where a combination of matches does not solve the issue? > Something like this > > -N interfaces > -A interfaces -i foo -j ACTION > ... > > -A rule -m set --match-set src -j interfaces > > and thus you can match IP addresses and possible (incoming) interfaces > easily. As above, about 700 interfaces, each with a generally just a few source ip-addresses expected for each interface, or a few subnets. I.e. in the simplest case a single ip is acceptable for a single interface, for a total of a couple of hundred interfaces. This is similar to rp_filter, but I had trouble getting that to work predictably with multiple routing tables. Currently I've solved it with a tree structure of iptables chains and rules, but being able to use a single set for this would look so much nicer. /Oskar -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
