On Sun, 15 Jan 2012, Mr Dash Four wrote: > > > Any chance of fixing this bug soon: > > > > > > ~# ipset n test hash:net family inet timeout 0 > > > ~# ipset a test 10.1.0.0/16 > > > ~# ipset t test 10.1.12.12 > > > 10.1.12.12 is in set test. > > > ~# ipset t test 10.1.12.0/24 > > > 10.1.12.0/24 is NOT in test. > > > > It's a feature which I'm not going to fix in any near future. > > > It isn't a "feature", it is a bug: 10.1.12.0/24 is within the 10.1.0.0/16 > range, so the above test should return true, not false. Either that, or ip > range values should be restricted/excluded from the "test" command in the > ipset userspace binary. The "test" functionality is already overloaded. It has two "modes": - you can test how the *kernel* sees the set, when checking a single IP address - you can check whether an *exact* element is added to the set or not. As the first one overloads the second one, for hash:*net* types the second mode is already "incomplete" in the sense that one cannot check whether a given single IP address is already added to a hash:*net* type of set as an exact element or not, because a network element may match it. Your request means a third mode, which could lead to even more confusion, because that way one could not check whether the tested address as *element* is added to the set or not. There's no magical element-aggregation in the hash:* types. That is, even if 10.1.0.0/16 is added as an element, 10.1.0.0/24 can be added again as an independent element: either it should be rejected (when the command was issued without the --exist flag) or silently ignored (when was issued with it). So even to consider your feature requests, it could come only after implementing element-aggregation. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html