Re: [ANNOUNCE] ipset 6.11 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 19 Jan 2012, Mr Dash Four wrote:

> > The userspace testing is passed to the kernel for execution. There's no
> > shadow or backup or whatever set in userspace. The sets exist in kernel
> > space and therefore all operations happen there.
> >   
> So, is the above doable in any shape or form or not?

Doable, but needs time and would involve adding the logic to auto-merge 
smaller subnets into larger ones and to make possible to delete subnets 
from larger networks.

I'm sure you are aware, this is a free time project.

> > Why do you need such tests at all?
> >   
> Various reasons. Two common uses (at least in my case) would be to test ip
> range against quite a large set of registered subnets (taken from the geoip
> database and sorted using my own criteria). The tested ip range is either
> candidate to 1). ban that network, in which case I do not want duplicates if
> the existing range is already there; or 2) include the ip range in a separate
> set, making sure that it is not already in the 'banned' set and also that it
> is not already included in the 'customer' set (which although limited, has
> quite significant number of set members - usually small subnets).
> 
> Because the ip range in ipset is not working correctly, I had to first
> manually go over the testing ranges. Later on I devised a small shell script
> doing what I just described in my previous post (quoted above), but it is
> quite ugly and inefficient - it would be much better if ip range testing in
> ipset was functioning properly, saving me all this hassle.

Sorry, for a while you have to use workarounds like you described.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux