Hi,
when working with IP sets, I came up with the following idea:
adding a value match:
-j SET --add-set set1 flag[,flag]=value
--match-set set1 flag[,flag]=value
Where value is an integer which is set in the added list element of the
SET target. The value does not change the dimension of the list. The
match is true only if the given value is equal to the value stored in
the found element.
Optionally adding an arbitrary value could help using IP sets in even
more ways than now, for example easily tracking packets independently of
other extensions or matches.
For example, instead of using three sets to distinguish between three
different states:
-j SET --add-set state1set src,dst,dst
-j SET --del-set state2set src,dst,dst
-j SET --del-set state3set src,dst,dst
one would write:
-j SET --add-set aset1 src,dst,dst=<integer>
Where <integer> resembles state1|state2|state3 then.
Maybe you can think of more uses for this feature.
As a further enhancement bit operators might be useful, too.
Best Regards,
Rudolf
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
