Hi, On Thu, 30 Jul 2015, Rudolf_AT wrote: > when working with IP sets, I came up with the following idea: > adding a value match: > > -j SET --add-set set1 flag[,flag]=value > --match-set set1 flag[,flag]=value > > Where value is an integer which is set in the added list element of the > SET target. The value does not change the dimension of the list. The > match is true only if the given value is equal to the value stored in > the found element. > > Optionally adding an arbitrary value could help using IP sets in even > more ways than now, for example easily tracking packets independently of > other extensions or matches. > > For example, instead of using three sets to distinguish between three > different states: > -j SET --add-set state1set src,dst,dst > -j SET --del-set state2set src,dst,dst > -j SET --del-set state3set src,dst,dst > one would write: > -j SET --add-set aset1 src,dst,dst=<integer> > Where <integer> resembles state1|state2|state3 then. > > Maybe you can think of more uses for this feature. > As a further enhancement bit operators might be useful, too. The stored value is not a dimension-like parameter, so it should not be denoted/matched/updated as a dimension related one. As far as I see it's quite similar to the "connmark/CONNMARK" match and target. Why cannot that simply be used? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
