On Thu, 23 Dec 2010, Jozsef Kadlecsik wrote:
> On Thu, 23 Dec 2010, Mr Dash Four wrote:
>
> > > The implementation behind ipset looks up the (ipaddr, proto, port) triple
> > > in one step. Such packing don't work there.
> > >
> > If that's the case how do you lookup IP address and port ranges then?
>
> IP address and port ranges are exploded and the elements are inserted
> one-by-one. And the exploded ranges are *not* converted back to ranges
> when listing/saving the sets. At the bitmap types the ranges could be
> converted back (not done yet), at the hash types it's not possible.
Just to illustrate:
# ipset create test hash:ip,port
# ipset add test 192.168.0.0/30,tcp:80-82
# ipset list test
Name: test
Type: hash:ip,port
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
192.168.0.3,tcp:81
192.168.0.0,tcp:82
192.168.0.1,tcp:81
192.168.0.1,tcp:82
192.168.0.3,tcp:82
192.168.0.0,tcp:80
192.168.0.2,tcp:80
192.168.0.0,tcp:81
192.168.0.1,tcp:80
192.168.0.2,tcp:82
192.168.0.2,tcp:81
192.168.0.3,tcp:80
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
