Re: [ANNOUNCE] ipset-5.0 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




The implementation behind ipset looks up the  (ipaddr, proto, port) triple
in one step. Such packing don't work there.
If that's the case how do you lookup IP address and port ranges then?

IP address and port ranges are exploded and the elements are inserted one-by-one. And the exploded ranges are *not* converted back to ranges when listing/saving the sets. At the bitmap types the ranges could be converted back (not done yet), at the hash types it's not possible.
If I understand you correctly, if I define hash:net,proto,port ipset and add a single element to it - 10.1.1.0/30,udp,80-83 - that translates (in primitive terms) to:

10.1.1.0,udp,80
10.1.1.0,udp,81
...
10.1.1.0,udp,83
10.1.1.1,udp,80
...
10.1.1.1,udp,83
...
...
10.1.1.3,udp,83

In other words, the set actually consist of 4 (subnet size) * 1 (protocol) * 4 (port ranges) =16 'internal' elements, is that right?

One other question - if I insert the above element in the set what is shown when I execute ipset -L: "10.1.1.0-10.1.1.3,udp,80-83" or the various permutations I listed above?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux