Hi >> Many thanks for ipset. Quick question please: I'm implementing a >> captive portal and I have an ipset (CP) containing bitmap:ip,mac. How >> should I best implement rules to: >> >> - Drop packets from same IP, different MAC >> >> I might be missing the obvious, but how do I query to match on IP, then >> drop IP with a mismatching MAC (in the bitmap ipset)? Can this be done >> without a second ipset tracking only IP? > > At a first glance I'd allow packets from (IP, MAC) and drop everything > else, i.e. (same IP, different MAC) and (different IP, same MAC), etc. Thanks - I think it's important to separate the traffic, not block it for my situation. You need to login to the captive portal, so some traffic needs to flow without being authenticated. I think you can very, very nearly have a clean split between auth/non auth users, but for flexibility my idea was to add some specific blocks/drops to classes of users who were clearly trying to cheat (And yes I do get that "auth" based on IP/Mac has some significant limitations...) > If you want to match the IP address only, too, then a single set is not > sufficient, unfortunately. That's fine. Do you think it's a sensible feature request that has a use elsewhere? ie given a bitmap:ip,mac, does it make sense to want to search it for just IP or Mac? Additionally it would have been very useful to use an ipset to assign a packet mark, ie the "result" of an ipset is also stored in the ipset. Do you think this is a reasonable feature request..? (what other "parameters" do people want to lookup, flow rates, marks, last seen, time constraints..?) Thanks for creating ipsets - very helpful! Ed W -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
