Hi,
Recently I attempted to work on a new libipset program and also tried to
review something I wrote in the past (ssh-blocker). In order to find
some "best practices" or a reference manual, I went to:
http://ipset.netfilter.org/
but surprisingly, it has no developer resources even though it is
supposed to be an alternative for calling the ipset program directly
(http://www.spinics.net/lists/netfilter/msg52100.html).
Other things that I did in order to learn how to use libipset:
- Study ipset source code (stopped doing this since it is an
implementation, internal details could change in the future).
- Write a Wireshark dissector for netlink/netfilter/ipset and study the
protocol communications when invoking the ipset tool directly
(merged in Wireshark v2.3.0rc0-324-gdd15a6d).
- Compare said protocol with lib/PROTOCOL to figure out what data must
be set.
- Open my ssh-blocker code, remove ipset_type_get() for IPSET_CMD_TEST
because it seems unnecessary according to lib/PROTOCOL.
- Discover that libipset does not send netlink message. Found the error
reporting functions ipset_session_error and ipset_session_warning.
- Look in ipset source code and discover that ipset_type_get() is not
that optional, it sets IPSET_OPT_FAMILY and IPSET_OPT_TYPE...
As you can see this involved a lot trial and error. Suggestions for
improvement:
- Add information to README for help resources (IRC, mailing list).
- Add a tutorial on how (not) to use libipset (initialization, how to
know what ipset_session_data_set to call, etc.)
- API reference (like
https://www.infradead.org/~tgr/libnl/doc/api/group__core.html)
- (Link to other resources I have missed?)
Other than the documentation issue, ipset has been a very useful tool
for me, so thanks for that!
--
Kind regards,
Peter Wu
https://lekensteyn.nl
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
