The implementation behind ipset looks up the (ipaddr, proto, port) triple
in one step. Such packing don't work there.
If that's the case how do you lookup IP address and port ranges then?
IP address and port ranges are exploded and the elements are inserted
one-by-one. And the exploded ranges are *not* converted back to ranges
when listing/saving the sets. At the bitmap types the ranges could be
converted back (not done yet), at the hash types it's not possible.
If I understand you correctly, if I define hash:net,proto,port ipset and
add a single element to it - 10.1.1.0/30,udp,80-83 - that translates (in
primitive terms) to:
10.1.1.0,udp,80
10.1.1.0,udp,81
...
10.1.1.0,udp,83
10.1.1.1,udp,80
...
10.1.1.1,udp,83
...
...
10.1.1.3,udp,83
In other words, the set actually consist of 4 (subnet size) * 1
(protocol) * 4 (port ranges) =16 'internal' elements, is that right?
One other question - if I insert the above element in the set what is
shown when I execute ipset -L: "10.1.1.0-10.1.1.3,udp,80-83" or the
various permutations I listed above?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
