On Tue, Dec 21, 2010 at 3:36 AM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Mon, 20 Dec 2010, Reuben Martin wrote: > >> On Monday, December 20, 2010, Jozsef Kadlecsik wrote: >> > >> > On Sun, 19 Dec 2010, Reuben Martin wrote: >> > >> > > I'm trying to put together an extension to forward udp packets to an >> > > arbritary set of destinations using ipsets. Specifically I want the >> > > extension to be able to take either an ipmap or iphash as a set of >> > > destinations for the forwarded udp packets. (I'm starting with the >> > > rawdnat, stripping out the tcp code, and changing it so that it >> > > duplicates the packet as needed for destinations instead of changing the >> > > dest address in the origional packet. >> > >> > I don't really see why you need to embed ipset. Why don't you call it as a >> > normal match and use your extension as a target? >> >> I think I have misunderstood what can be done with ipsets. I knew you >> could use it as a match, but for some reason I though it had an API to >> allow other extensions to use sets as targets. (i.e. my intention is, as >> you suggested, to use the extension as a target) > > But what is the difference between > > ... -m set --match-set foo src -j YOUR_TARGET > > and > > ... -j YOUR_TARGET > > where your target calls internally the same or hardcoded ipset match? The difference is that I'm not really concerned about the -m option at all. Any of the existing match methods are sufficient. I want to be able to do: ... -j MY_TARGET --ipset foo where MY_TARGET would iterate over the members of foo, and for each member of foo the original packet is duplicated, the duplicate's destination is changed to the address value of the member, checksums recalculated, and sent on it's way. My intent is to be able to take RTP media stream packets, and transparently forward them to a dynamically changing group of destination addresses.in a network where multicast is not an option. I'm sure there might be other uses for it, but that's all I'm concerned about at the moment. > >> Is there any way via the standard API to request the contents of a named >> set? That's really what I want to do. Basically for each packet I would >> request I want to be able to check what addresses are in the set named >> in the parameters of my extension, and then copy the packets to each of >> those addresses, and hence have a dynamic list of destination addresses. > > In my previous mail I wrote about the current API and possibilities. > Yes, thank you so much. I finally got home last night and was able to take a look at it. I think that in order to do what I want, ipset would need a new exported function that would provide access to members of a set. -Reuben -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
