On Tue, 24 May 2011, Oskar Berggren wrote: > 2011/5/24 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>: > > On Tue, 24 May 2011, Oskar Berggren wrote: > > > >> Regarding ipsets.... how crazy would it be to add a set type > >> containing interface names? > > > > Usually the number of interfaces are not quite high in a system, so it > > does not seem required. > > I have machines with plenty of vlans. About 700 interfaces in the > largest instance currently. That said, I don't have a clear use case for > this particular set type currently, but out of curiosity, would it be > reasonably doable within the ipset framework? Yes, I don't see any problem here. > >> And how crazy would it be to add a set type containing tuples of > >> ip-address and interface name? (I.e. the set match would look for ip, > >> and match if a tuple with the proper interface is found) > > > > What is the case where a combination of matches does not solve the issue? > > Something like this > > > > -N interfaces > > -A interfaces -i foo -j ACTION > > ... > > > > -A rule -m set --match-set src -j interfaces > > > > and thus you can match IP addresses and possible (incoming) interfaces > > easily. > > As above, about 700 interfaces, each with a generally just a few source > ip-addresses expected for each interface, or a few subnets. I.e. in the > simplest case a single ip is acceptable for a single interface, for a > total of a couple of hundred interfaces. This is similar to rp_filter, > but I had trouble getting that to work predictably with multiple routing > tables. Currently I've solved it with a tree structure of iptables > chains and rules, but being able to use a single set for this would look > so much nicer. So it looks like a valid case, for a new set type with interfaces and IP addresses/networks ;-) I'll work on it. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
