Hello, i try to use iptables ... -m set --match-set against ipset infrastructure (using night build 20151116, kernel 4.2.3)I have some suggestions after i successfully make it works. And thanks you - my router is more powerful.
1) In manpage file in libxt_set.man:Until i experience and look into code I do not understood what is mean by "test src,dst"
Please add some more example to this man page to make it better:If you have ipset table MYIPS hash:ip type and want matching by source ip use
iptables -I FORWARD -m set --match-set MYIPS src -j LOGif you have ipset table MYIPS bitmap:ip,mac type and want match by source ip and source mac use
iptables -I FORWARD -m set --match-set MYIPS src,src -j LOG or add any other 2) name of option "--match-set" is not in logic used by iptables, i suggest to change to "--set-match" Look for other options in iptables-extensions -m hashlimit --hashlimit-above -m limit --limit-burst Also name in -j SET could be reversed (--set-map)3) Could have target -j SET have some options to jump to some iptables chain by some value stored in ipset. For example if you stored skbmark with ip address you can change in one rule mark of packet matched in list
iptables -j SET --map-set MYIPS src --map-markbut if you have chain for example customer_0000 customer_0001 ... customer_ffff you have no way how to jump in one rule, and you have to need some hiearchicaly chains mainly generated by script.
Something like "JUMP" using mark or using some value stored with ip with skbmark
iptables -j SET --map-set MYIPS --map-jump-mark-prefix "customer_"so when you match in ip in ipset table, find mark and then make jump to specific chain.
4) Do you have any plan when you release stable iptables 1.6.0 :-) ? Best Regards Martin Kratochvil
Attachment:
smime.p7s
Description: Elektronicky podpis S/MIME
